From 1c4f799b0850ff5bfdc8e10ba1977277e74e2880 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 26 Nov 2022 09:00:49 -0500 Subject: [PATCH] Fixes for 6.0 Signed-off-by: Sasha Levin --- ...acklight-native-dmi-quirk-for-dell-g.patch | 52 ++++++ ...dd-quirk-to-fix-hamedal-c20-disconne.patch | 74 +++++++++ ...clude-asm-ptrace.h-in-syscall_wrappe.patch | 51 ++++++ ...ned-behavior-in-bit-shift-for-audit_.patch | 52 ++++++ ...er-validate-alloc-mm-in-mmap-handler.patch | 66 ++++++++ ...ll-pointer-dereference-in-bfq_bio_bf.patch | 151 ++++++++++++++++++ ...ointer-dereference-for-req-r_session.patch | 125 +++++++++++++++ ...loc-for-allocating-multiple-elements.patch | 37 +++++ ...fix-fclk-deviation-and-tool-compile-.patch | 64 ++++++++ ...-display-fix-gpio-port-mapping-issue.patch | 84 ++++++++++ ...only-fill-dirty-rectangles-when-psr-.patch | 45 ++++++ ...zeromem-mypipe-heap-struct-before-us.patch | 39 +++++ ...-eviction-lock-when-allocating-pt-bo.patch | 117 ++++++++++++++ ...ation-quirks-add-quirk-for-acer-swit.patch | 43 +++++ ...ation-quirks-add-quirk-for-nanote-um.patch | 40 +++++ ...ckdep-annote-io_poll_req_insert_lock.patch | 35 ++++ ...s-pic32-treat-port-as-signed-integer.patch | 105 ++++++++++++ ...ix-kernel-test-robot-reported-errors.patch | 48 ++++++ ...uiet-user-passthrough-command-errors.patch | 82 ++++++++++ ...-leak-in-nvmet_subsys_attr_model_sto.patch | 51 ++++++ ...eapad-laptop-disable-touchpad_switch.patch | 70 ++++++++ ...6-intel-hid-add-some-acpi-device-ids.patch | 38 +++++ ...el-pmt-sapphire-rapids-pmt-errata-fi.patch | 88 ++++++++++ ...chscreen_dmi-add-info-for-the-rca-ca.patch | 66 ++++++++ ...u-revert-drm-amdgpu-getting-fan-spee.patch | 65 ++++++++ ...c-report-real_dev-features-when-hw-o.patch | 114 +++++++++++++ ...ot-add-missing-symbols-to-version-se.patch | 69 ++++++++ ...ve-unleashed-add-pwm-controlled-leds.patch | 83 ++++++++++ ...s390-always-build-relocatable-kernel.patch | 113 +++++++++++++ ...x-warning-about-field-spanning-write.patch | 87 ++++++++++ ...d-path-failures-during-live-migratio.patch | 65 ++++++++ ...make-the-read-capacity-response-comp.patch | 59 +++++++ ...d-verifier-test-for-release_referenc.patch | 86 ++++++++++ ...-don-t-tests-batched-tcp-io_uring-zc.patch | 38 +++++ ...ve-more-time-to-udpgro-bg-processes-.patch | 79 +++++++++ queue-6.0/series | 43 +++++ ...m32_spi_prepare_mbr-that-halves-spi-.patch | 51 ++++++ ...d-don-t-initialise-dma-if-not-suppor.patch | 55 +++++++ ...iro-do-not-assign-1-to-unsigned-char.patch | 75 +++++++++ ...11k-fix-qcn9074-firmware-boot-on-x86.patch | 50 ++++++ ...cfg80211-fix-bitrates-overflow-issue.patch | 74 +++++++++ ...x-ack-frame-idr-leak-when-mesh-has-n.patch | 42 +++++ ...x-memory-free-error-when-registering.patch | 53 ++++++ ...sim-fix-debugfs-attribute-ps-with-rc.patch | 57 +++++++ 44 files changed, 2981 insertions(+) create mode 100644 queue-6.0/acpi-video-add-backlight-native-dmi-quirk-for-dell-g.patch create mode 100644 queue-6.0/alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch create mode 100644 queue-6.0/arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch create mode 100644 queue-6.0/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch create mode 100644 queue-6.0/binder-validate-alloc-mm-in-mmap-handler.patch create mode 100644 queue-6.0/block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch create mode 100644 queue-6.0/ceph-fix-null-pointer-dereference-for-req-r_session.patch create mode 100644 queue-6.0/ceph-use-kcalloc-for-allocating-multiple-elements.patch create mode 100644 queue-6.0/drm-amd-display-fix-fclk-deviation-and-tool-compile-.patch create mode 100644 queue-6.0/drm-amd-display-fix-gpio-port-mapping-issue.patch create mode 100644 queue-6.0/drm-amd-display-only-fill-dirty-rectangles-when-psr-.patch create mode 100644 queue-6.0/drm-amd-display-zeromem-mypipe-heap-struct-before-us.patch create mode 100644 queue-6.0/drm-amdgpu-drop-eviction-lock-when-allocating-pt-bo.patch create mode 100644 queue-6.0/drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch create mode 100644 queue-6.0/drm-panel-orientation-quirks-add-quirk-for-nanote-um.patch create mode 100644 queue-6.0/io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch create mode 100644 queue-6.0/mips-pic32-treat-port-as-signed-integer.patch create mode 100644 queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-errors.patch create mode 100644 queue-6.0/nvme-quiet-user-passthrough-command-errors.patch create mode 100644 queue-6.0/nvmet-fix-memory-leak-in-nvmet_subsys_attr_model_sto.patch create mode 100644 queue-6.0/platform-x86-ideapad-laptop-disable-touchpad_switch.patch create mode 100644 queue-6.0/platform-x86-intel-hid-add-some-acpi-device-ids.patch create mode 100644 queue-6.0/platform-x86-intel-pmt-sapphire-rapids-pmt-errata-fi.patch create mode 100644 queue-6.0/platform-x86-touchscreen_dmi-add-info-for-the-rca-ca.patch create mode 100644 queue-6.0/revert-drm-amdgpu-revert-drm-amdgpu-getting-fan-spee.patch create mode 100644 queue-6.0/revert-net-macsec-report-real_dev-features-when-hw-o.patch create mode 100644 queue-6.0/risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch create mode 100644 queue-6.0/riscv-dts-sifive-unleashed-add-pwm-controlled-leds.patch create mode 100644 queue-6.0/s390-always-build-relocatable-kernel.patch create mode 100644 queue-6.0/s390-zcrypt-fix-warning-about-field-spanning-write.patch create mode 100644 queue-6.0/scsi-ibmvfc-avoid-path-failures-during-live-migratio.patch create mode 100644 queue-6.0/scsi-scsi_debug-make-the-read-capacity-response-comp.patch create mode 100644 queue-6.0/selftests-bpf-add-verifier-test-for-release_referenc.patch create mode 100644 queue-6.0/selftests-net-don-t-tests-batched-tcp-io_uring-zc.patch create mode 100644 queue-6.0/selftests-net-give-more-time-to-udpgro-bg-processes-.patch create mode 100644 queue-6.0/series create mode 100644 queue-6.0/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch create mode 100644 queue-6.0/spi-tegra210-quad-don-t-initialise-dma-if-not-suppor.patch create mode 100644 queue-6.0/wifi-airo-do-not-assign-1-to-unsigned-char.patch create mode 100644 queue-6.0/wifi-ath11k-fix-qcn9074-firmware-boot-on-x86.patch create mode 100644 queue-6.0/wifi-cfg80211-fix-bitrates-overflow-issue.patch create mode 100644 queue-6.0/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch create mode 100644 queue-6.0/wifi-mac80211-fix-memory-free-error-when-registering.patch create mode 100644 queue-6.0/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch diff --git a/queue-6.0/acpi-video-add-backlight-native-dmi-quirk-for-dell-g.patch b/queue-6.0/acpi-video-add-backlight-native-dmi-quirk-for-dell-g.patch new file mode 100644 index 00000000000..04dd377db27 --- /dev/null +++ b/queue-6.0/acpi-video-add-backlight-native-dmi-quirk-for-dell-g.patch @@ -0,0 +1,52 @@ +From 2dae5eb0691b92c168dd47474530fc27faf3df2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 21:20:59 +0100 +Subject: ACPI: video: Add backlight=native DMI quirk for Dell G15 5515 + +From: Hans de Goede + +[ Upstream commit f46acc1efd4b5846de9fa05f966e504f328f34a6 ] + +The Dell G15 5515 has the WMI interface (and WMI call returns) expected +by the nvidia-wmi-ec-backlight interface. But the backlight class device +registered by the nvidia-wmi-ec-backlight driver does not actually work. + +The amdgpu_bl0 native GPU backlight class device does actually work, +add a backlight=native DMI quirk for this. + +Reported-by: Iris +Reviewed-by: Daniel Dadap +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 68a566f69684..aae9261c424a 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -578,6 +578,20 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), + }, + }, ++ /* ++ * Models which have nvidia-ec-wmi support, but should not use it. ++ * Note this indicates a likely firmware bug on these models and should ++ * be revisited if/when Linux gets support for dynamic mux mode. ++ */ ++ { ++ .callback = video_detect_force_native, ++ /* Dell G15 5515 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5515"), ++ }, ++ }, ++ + /* + * Desktops which falsely report a backlight and which our heuristics + * for this do not catch. +-- +2.35.1 + diff --git a/queue-6.0/alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch b/queue-6.0/alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch new file mode 100644 index 00000000000..925333a2b9d --- /dev/null +++ b/queue-6.0/alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch @@ -0,0 +1,74 @@ +From 1de81b81300adf2e662364b618e7416c7146d367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:34:52 +0800 +Subject: ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue + +From: Ai Chao + +[ Upstream commit bf990c10231937c0f51e5da5558e08cf5adc6a78 ] + +For Hamedal C20, the current rate is different from the runtime rate, +snd_usb_endpoint stop and close endpoint to resetting rate. +if snd_usb_endpoint close the endpoint, sometimes usb will +disconnect the device. + +Signed-off-by: Ai Chao +Link: https://lore.kernel.org/r/20221110063452.295110-1-aichao@kylinos.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/endpoint.c | 3 ++- + sound/usb/quirks.c | 2 ++ + sound/usb/usbaudio.h | 3 +++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 2420dc994632..4c9ea13f72d4 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -923,7 +923,8 @@ void snd_usb_endpoint_close(struct snd_usb_audio *chip, + usb_audio_dbg(chip, "Closing EP 0x%x (count %d)\n", + ep->ep_num, ep->opened); + +- if (!--ep->iface_ref->opened) ++ if (!--ep->iface_ref->opened && ++ !(chip->quirk_flags & QUIRK_FLAG_IFACE_SKIP_CLOSE)) + endpoint_set_interface(chip, ep, false); + + if (!--ep->opened) { +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 250bda7cda07..4f914dce6bbf 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2186,6 +2186,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = { + QUIRK_FLAG_GENERIC_IMPLICIT_FB), + DEVICE_FLG(0x2b53, 0x0031, /* Fiero SC-01 (firmware v1.1.0) */ + QUIRK_FLAG_GENERIC_IMPLICIT_FB), ++ DEVICE_FLG(0x0525, 0xa4ad, /* Hamedal C20 usb camero */ ++ QUIRK_FLAG_IFACE_SKIP_CLOSE), + + /* Vendor matches */ + VENDOR_FLG(0x045e, /* MS Lifecam */ +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 2c6575029b1c..e97141ef730a 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -170,6 +170,8 @@ extern bool snd_usb_skip_validation; + * Apply the generic implicit feedback sync mode (same as implicit_fb=1 option) + * QUIRK_FLAG_SKIP_IMPLICIT_FB + * Don't apply implicit feedback sync mode ++ * QUIRK_FLAG_IFACE_SKIP_CLOSE ++ * Don't closed interface during setting sample rate + */ + + #define QUIRK_FLAG_GET_SAMPLE_RATE (1U << 0) +@@ -191,5 +193,6 @@ extern bool snd_usb_skip_validation; + #define QUIRK_FLAG_SET_IFACE_FIRST (1U << 16) + #define QUIRK_FLAG_GENERIC_IMPLICIT_FB (1U << 17) + #define QUIRK_FLAG_SKIP_IMPLICIT_FB (1U << 18) ++#define QUIRK_FLAG_IFACE_SKIP_CLOSE (1U << 19) + + #endif /* __USBAUDIO_H */ +-- +2.35.1 + diff --git a/queue-6.0/arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch b/queue-6.0/arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch new file mode 100644 index 00000000000..c35814c7218 --- /dev/null +++ b/queue-6.0/arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch @@ -0,0 +1,51 @@ +From 5ce4d7ad460b65a3e6808d466b2d782f41269ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 14:57:28 -0700 +Subject: arm64/syscall: Include asm/ptrace.h in syscall_wrapper header. + +From: Kuniyuki Iwashima + +[ Upstream commit acfc35cfcee5df419391671ef1a631f43feee4e3 ] + +Add the same change for ARM64 as done in the commit 9440c4294160 +("x86/syscall: Include asm/ptrace.h in syscall_wrapper header") to +make sure all syscalls see 'struct pt_regs' definition and resulted +BTF for '__arm64_sys_*(struct pt_regs *regs)' functions point to +actual struct. + +Without this patch, the BPF verifier refuses to load a tracing prog +which accesses pt_regs. + + bpf(BPF_PROG_LOAD, {prog_type=0x1a, ...}, 128) = -1 EACCES + +With this patch, we can see the correct error, which saves us time +in debugging the prog. + + bpf(BPF_PROG_LOAD, {prog_type=0x1a, ...}, 128) = 4 + bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name=NULL, prog_fd=4}}, 128) = -1 ENOTSUPP + +Signed-off-by: Kuniyuki Iwashima +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221031215728.50389-1-kuniyu@amazon.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/syscall_wrapper.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/syscall_wrapper.h b/arch/arm64/include/asm/syscall_wrapper.h +index b383b4802a7b..d30217c21eff 100644 +--- a/arch/arm64/include/asm/syscall_wrapper.h ++++ b/arch/arm64/include/asm/syscall_wrapper.h +@@ -8,7 +8,7 @@ + #ifndef __ASM_SYSCALL_WRAPPER_H + #define __ASM_SYSCALL_WRAPPER_H + +-struct pt_regs; ++#include + + #define SC_ARM64_REGS_TO_ARGS(x, ...) \ + __MAP(x,__SC_ARGS \ +-- +2.35.1 + diff --git a/queue-6.0/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch b/queue-6.0/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch new file mode 100644 index 00000000000..6754de665a6 --- /dev/null +++ b/queue-6.0/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch @@ -0,0 +1,52 @@ +From e33570c32b76d3b1fef3d6660205b51503bac556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 10:10:21 +0800 +Subject: audit: fix undefined behavior in bit shift for AUDIT_BIT + +From: Gaosheng Cui + +[ Upstream commit 986d93f55bdeab1cac858d1e47b41fac10b2d7f6 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in kernel/auditfilter.c:179:23 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + audit_register_class+0x9d/0x137 + audit_classes_init+0x4d/0xb8 + do_one_initcall+0x76/0x430 + kernel_init_freeable+0x3b3/0x422 + kernel_init+0x24/0x1e0 + ret_from_fork+0x1f/0x30 + + +Signed-off-by: Gaosheng Cui +[PM: remove bad 'Fixes' tag as issue predates git, added in v2.6.6-rc1] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/uapi/linux/audit.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h +index 7c1dc818b1d5..d676ed2b246e 100644 +--- a/include/uapi/linux/audit.h ++++ b/include/uapi/linux/audit.h +@@ -187,7 +187,7 @@ + #define AUDIT_MAX_KEY_LEN 256 + #define AUDIT_BITMASK_SIZE 64 + #define AUDIT_WORD(nr) ((__u32)((nr)/32)) +-#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) ++#define AUDIT_BIT(nr) (1U << ((nr) - AUDIT_WORD(nr)*32)) + + #define AUDIT_SYSCALL_CLASSES 16 + #define AUDIT_CLASS_DIR_WRITE 0 +-- +2.35.1 + diff --git a/queue-6.0/binder-validate-alloc-mm-in-mmap-handler.patch b/queue-6.0/binder-validate-alloc-mm-in-mmap-handler.patch new file mode 100644 index 00000000000..fb0de238fa3 --- /dev/null +++ b/queue-6.0/binder-validate-alloc-mm-in-mmap-handler.patch @@ -0,0 +1,66 @@ +From 558ee060877338a914301475bf6ce16c8378ba03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 23:12:35 +0000 +Subject: binder: validate alloc->mm in ->mmap() handler + +From: Carlos Llamas + +[ Upstream commit 3ce00bb7e91cf57d723905371507af57182c37ef ] + +Since commit 1da52815d5f1 ("binder: fix alloc->vma_vm_mm null-ptr +dereference") binder caches a pointer to the current->mm during open(). +This fixes a null-ptr dereference reported by syzkaller. Unfortunately, +it also opens the door for a process to update its mm after the open(), +(e.g. via execve) making the cached alloc->mm pointer invalid. + +Things get worse when the process continues to mmap() a vma. From this +point forward, binder will attempt to find this vma using an obsolete +alloc->mm reference. Such as in binder_update_page_range(), where the +wrong vma is obtained via vma_lookup(), yet binder proceeds to happily +insert new pages into it. + +To avoid this issue fail the ->mmap() callback if we detect a mismatch +between the vma->vm_mm and the original alloc->mm pointer. This prevents +alloc->vm_addr from getting set, so that any subsequent vma_lookup() +calls fail as expected. + +Fixes: 1da52815d5f1 ("binder: fix alloc->vma_vm_mm null-ptr dereference") +Reported-by: Jann Horn +Cc: # 5.15+ +Signed-off-by: Carlos Llamas +Acked-by: Todd Kjos +Link: https://lore.kernel.org/r/20221104231235.348958-1-cmllamas@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/android/binder_alloc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c +index 9b1778c00610..64999777e0bf 100644 +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -760,6 +760,12 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc, + const char *failure_string; + struct binder_buffer *buffer; + ++ if (unlikely(vma->vm_mm != alloc->vma_vm_mm)) { ++ ret = -EINVAL; ++ failure_string = "invalid vma->vm_mm"; ++ goto err_invalid_mm; ++ } ++ + mutex_lock(&binder_alloc_mmap_lock); + if (alloc->buffer_size) { + ret = -EBUSY; +@@ -806,6 +812,7 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc, + alloc->buffer_size = 0; + err_already_mapped: + mutex_unlock(&binder_alloc_mmap_lock); ++err_invalid_mm: + binder_alloc_debug(BINDER_DEBUG_USER_ERROR, + "%s: %d %lx-%lx %s failed %d\n", __func__, + alloc->pid, vma->vm_start, vma->vm_end, +-- +2.35.1 + diff --git a/queue-6.0/block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch b/queue-6.0/block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch new file mode 100644 index 00000000000..1a2501fb47d --- /dev/null +++ b/queue-6.0/block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch @@ -0,0 +1,151 @@ +From ace266ab3239e9423514c146cf4f96c1fd5228b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 18:34:34 +0800 +Subject: block, bfq: fix null pointer dereference in bfq_bio_bfqg() + +From: Yu Kuai + +[ Upstream commit f02be9002c480cd3ec0fcf184ad27cf531bd6ece ] + +Out test found a following problem in kernel 5.10, and the same problem +should exist in mainline: + +BUG: kernel NULL pointer dereference, address: 0000000000000094 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP +CPU: 7 PID: 155 Comm: kworker/7:1 Not tainted 5.10.0-01932-g19e0ace2ca1d-dirty 4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-b4 +Workqueue: kthrotld blk_throtl_dispatch_work_fn +RIP: 0010:bfq_bio_bfqg+0x52/0xc0 +Code: 94 00 00 00 00 75 2e 48 8b 40 30 48 83 05 35 06 c8 0b 01 48 85 c0 74 3d 4b +RSP: 0018:ffffc90001a1fba0 EFLAGS: 00010002 +RAX: ffff888100d60400 RBX: ffff8881132e7000 RCX: 0000000000000000 +RDX: 0000000000000017 RSI: ffff888103580a18 RDI: ffff888103580a18 +RBP: ffff8881132e7000 R08: 0000000000000000 R09: ffffc90001a1fe10 +R10: 0000000000000a20 R11: 0000000000034320 R12: 0000000000000000 +R13: ffff888103580a18 R14: ffff888114447000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff88881fdc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000094 CR3: 0000000100cdb000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + bfq_bic_update_cgroup+0x3c/0x350 + ? ioc_create_icq+0x42/0x270 + bfq_init_rq+0xfd/0x1060 + bfq_insert_requests+0x20f/0x1cc0 + ? ioc_create_icq+0x122/0x270 + blk_mq_sched_insert_requests+0x86/0x1d0 + blk_mq_flush_plug_list+0x193/0x2a0 + blk_flush_plug_list+0x127/0x170 + blk_finish_plug+0x31/0x50 + blk_throtl_dispatch_work_fn+0x151/0x190 + process_one_work+0x27c/0x5f0 + worker_thread+0x28b/0x6b0 + ? rescuer_thread+0x590/0x590 + kthread+0x153/0x1b0 + ? kthread_flush_work+0x170/0x170 + ret_from_fork+0x1f/0x30 +Modules linked in: +CR2: 0000000000000094 +---[ end trace e2e59ac014314547 ]--- +RIP: 0010:bfq_bio_bfqg+0x52/0xc0 +Code: 94 00 00 00 00 75 2e 48 8b 40 30 48 83 05 35 06 c8 0b 01 48 85 c0 74 3d 4b +RSP: 0018:ffffc90001a1fba0 EFLAGS: 00010002 +RAX: ffff888100d60400 RBX: ffff8881132e7000 RCX: 0000000000000000 +RDX: 0000000000000017 RSI: ffff888103580a18 RDI: ffff888103580a18 +RBP: ffff8881132e7000 R08: 0000000000000000 R09: ffffc90001a1fe10 +R10: 0000000000000a20 R11: 0000000000034320 R12: 0000000000000000 +R13: ffff888103580a18 R14: ffff888114447000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff88881fdc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000094 CR3: 0000000100cdb000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Root cause is quite complex: + +1) use bfq elevator for the test device. +2) create a cgroup CG +3) config blk throtl in CG + + blkg_conf_prep + blkg_create + +4) create a thread T1 and issue async io in CG: + + bio_init + bio_associate_blkg + ... + submit_bio + submit_bio_noacct + blk_throtl_bio -> io is throttled + // io submit is done + +5) switch elevator: + + bfq_exit_queue + blkcg_deactivate_policy + list_for_each_entry(blkg, &q->blkg_list, q_node) + blkg->pd[] = NULL + // bfq policy is removed + +5) thread t1 exist, then remove the cgroup CG: + + blkcg_unpin_online + blkcg_destroy_blkgs + blkg_destroy + list_del_init(&blkg->q_node) + // blkg is removed from queue list + +6) switch elevator back to bfq + + bfq_init_queue + bfq_create_group_hierarchy + blkcg_activate_policy + list_for_each_entry_reverse(blkg, &q->blkg_list) + // blkg is removed from list, hence bfq policy is still NULL + +7) throttled io is dispatched to bfq: + + bfq_insert_requests + bfq_init_rq + bfq_bic_update_cgroup + bfq_bio_bfqg + bfqg = blkg_to_bfqg(blkg) + // bfqg is NULL because bfq policy is NULL + +The problem is only possible in bfq because only bfq can be deactivated and +activated while queue is online, while others can only be deactivated while +the device is removed. + +Fix the problem in bfq by checking if blkg is online before calling +blkg_to_bfqg(). + +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221108103434.2853269-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 30b15a9a47c4..249f489d115f 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -615,6 +615,10 @@ struct bfq_group *bfq_bio_bfqg(struct bfq_data *bfqd, struct bio *bio) + struct bfq_group *bfqg; + + while (blkg) { ++ if (!blkg->online) { ++ blkg = blkg->parent; ++ continue; ++ } + bfqg = blkg_to_bfqg(blkg); + if (bfqg->online) { + bio_associate_blkg_from_css(bio, &blkg->blkcg->css); +-- +2.35.1 + diff --git a/queue-6.0/ceph-fix-null-pointer-dereference-for-req-r_session.patch b/queue-6.0/ceph-fix-null-pointer-dereference-for-req-r_session.patch new file mode 100644 index 00000000000..35bc87dfc81 --- /dev/null +++ b/queue-6.0/ceph-fix-null-pointer-dereference-for-req-r_session.patch @@ -0,0 +1,125 @@ +From 1e3e757d315f060f6d5965b01021cdde3fca343d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 21:01:59 +0800 +Subject: ceph: fix NULL pointer dereference for req->r_session + +From: Xiubo Li + +[ Upstream commit 5bd76b8de5b74fa941a6eafee87728a0fe072267 ] + +The request's r_session maybe changed when it was forwarded or +resent. Both the forwarding and resending cases the requests will +be protected by the mdsc->mutex. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2137955 +Signed-off-by: Xiubo Li +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 48 ++++++++++++------------------------------------ + 1 file changed, 12 insertions(+), 36 deletions(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 1eb2ff0f6bd8..02b5c0ac5654 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -2247,7 +2247,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc; + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_mds_request *req1 = NULL, *req2 = NULL; +- unsigned int max_sessions; + int ret, err = 0; + + spin_lock(&ci->i_unsafe_lock); +@@ -2265,28 +2264,24 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + } + spin_unlock(&ci->i_unsafe_lock); + +- /* +- * The mdsc->max_sessions is unlikely to be changed +- * mostly, here we will retry it by reallocating the +- * sessions array memory to get rid of the mdsc->mutex +- * lock. +- */ +-retry: +- max_sessions = mdsc->max_sessions; +- + /* + * Trigger to flush the journal logs in all the relevant MDSes + * manually, or in the worst case we must wait at most 5 seconds + * to wait the journal logs to be flushed by the MDSes periodically. + */ +- if ((req1 || req2) && likely(max_sessions)) { +- struct ceph_mds_session **sessions = NULL; +- struct ceph_mds_session *s; ++ if (req1 || req2) { + struct ceph_mds_request *req; ++ struct ceph_mds_session **sessions; ++ struct ceph_mds_session *s; ++ unsigned int max_sessions; + int i; + ++ mutex_lock(&mdsc->mutex); ++ max_sessions = mdsc->max_sessions; ++ + sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); + if (!sessions) { ++ mutex_unlock(&mdsc->mutex); + err = -ENOMEM; + goto out; + } +@@ -2298,16 +2293,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + s = req->r_session; + if (!s) + continue; +- if (unlikely(s->s_mds >= max_sessions)) { +- spin_unlock(&ci->i_unsafe_lock); +- for (i = 0; i < max_sessions; i++) { +- s = sessions[i]; +- if (s) +- ceph_put_mds_session(s); +- } +- kfree(sessions); +- goto retry; +- } + if (!sessions[s->s_mds]) { + s = ceph_get_mds_session(s); + sessions[s->s_mds] = s; +@@ -2320,16 +2305,6 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + s = req->r_session; + if (!s) + continue; +- if (unlikely(s->s_mds >= max_sessions)) { +- spin_unlock(&ci->i_unsafe_lock); +- for (i = 0; i < max_sessions; i++) { +- s = sessions[i]; +- if (s) +- ceph_put_mds_session(s); +- } +- kfree(sessions); +- goto retry; +- } + if (!sessions[s->s_mds]) { + s = ceph_get_mds_session(s); + sessions[s->s_mds] = s; +@@ -2341,11 +2316,12 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + /* the auth MDS */ + spin_lock(&ci->i_ceph_lock); + if (ci->i_auth_cap) { +- s = ci->i_auth_cap->session; +- if (!sessions[s->s_mds]) +- sessions[s->s_mds] = ceph_get_mds_session(s); ++ s = ci->i_auth_cap->session; ++ if (!sessions[s->s_mds]) ++ sessions[s->s_mds] = ceph_get_mds_session(s); + } + spin_unlock(&ci->i_ceph_lock); ++ mutex_unlock(&mdsc->mutex); + + /* send flush mdlog request to MDSes */ + for (i = 0; i < max_sessions; i++) { +-- +2.35.1 + diff --git a/queue-6.0/ceph-use-kcalloc-for-allocating-multiple-elements.patch b/queue-6.0/ceph-use-kcalloc-for-allocating-multiple-elements.patch new file mode 100644 index 00000000000..28990f49060 --- /dev/null +++ b/queue-6.0/ceph-use-kcalloc-for-allocating-multiple-elements.patch @@ -0,0 +1,37 @@ +From 2df7ef104105182add414c899bf740c380be65ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 22:42:55 -0700 +Subject: ceph: Use kcalloc for allocating multiple elements + +From: Kenneth Lee + +[ Upstream commit aa1d627207cace003163dee24d1c06fa4e910c6b ] + +Prefer using kcalloc(a, b) over kzalloc(a * b) as this improves +semantics since kcalloc is intended for allocating an array of memory. + +Signed-off-by: Kenneth Lee +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Stable-dep-of: 5bd76b8de5b7 ("ceph: fix NULL pointer dereference for req->r_session") +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 53cfe026b3ea..1eb2ff0f6bd8 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -2285,7 +2285,7 @@ static int flush_mdlog_and_wait_inode_unsafe_requests(struct inode *inode) + struct ceph_mds_request *req; + int i; + +- sessions = kzalloc(max_sessions * sizeof(s), GFP_KERNEL); ++ sessions = kcalloc(max_sessions, sizeof(s), GFP_KERNEL); + if (!sessions) { + err = -ENOMEM; + goto out; +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-fclk-deviation-and-tool-compile-.patch b/queue-6.0/drm-amd-display-fix-fclk-deviation-and-tool-compile-.patch new file mode 100644 index 00000000000..d7f351e9d8a --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-fclk-deviation-and-tool-compile-.patch @@ -0,0 +1,64 @@ +From fbfadf5a40a8a4ef522047fa6f56cdbba0d026c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 09:51:19 -0400 +Subject: drm/amd/display: Fix FCLK deviation and tool compile issues + +From: Chaitanya Dhere + +[ Upstream commit 0d5c5c210a4d4e655feb93b379647f0b179cdafe ] + +[Why] +Recent backports from open source do not have header inclusion pattern +that is consistent with inclusion style in the rest of the file. This +breaks the internal tool builds as well. A recent commit erronously +modified the original DML formula for calculating +ActiveClockChangeLatencyHidingY. This resulted in a FCLK deviation +from the golden values. + +[How] +Change the way in which display_mode_vba.h is included so that it is +consistent with the inclusion style in rest of the file which also fixes +the tool build. Restore the DML formula to its original state to fix the +FCLK deviation. + +Reviewed-by: Aurabindo Pillai +Reviewed-by: Jun Lei +Acked-by: Alan Liu +Signed-off-by: Chaitanya Dhere +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.c | 2 +- + .../gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.c +index 67af8f4df8b8..d9141ef2fefd 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.c +@@ -4396,7 +4396,7 @@ void dml32_CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport( + + if (v->NumberOfActiveSurfaces > 1) { + ActiveClockChangeLatencyHidingY = ActiveClockChangeLatencyHidingY +- - (1 - 1 / v->NumberOfActiveSurfaces) * SwathHeightY[k] * v->HTotal[k] ++ - (1.0 - 1.0 / v->NumberOfActiveSurfaces) * SwathHeightY[k] * v->HTotal[k] + / v->PixelClock[k] / v->VRatio[k]; + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.h b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.h +index 0b427d89b3c5..f174f5c5ff92 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_util_32.h +@@ -30,7 +30,7 @@ + #include "os_types.h" + #include "../dc_features.h" + #include "../display_mode_structs.h" +-#include "dml/display_mode_vba.h" ++#include "../display_mode_vba.h" + + unsigned int dml32_dscceComputeDelay( + unsigned int bpc, +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-gpio-port-mapping-issue.patch b/queue-6.0/drm-amd-display-fix-gpio-port-mapping-issue.patch new file mode 100644 index 00000000000..693fa3104a1 --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-gpio-port-mapping-issue.patch @@ -0,0 +1,84 @@ +From 0dd7eb98225bd64df4ff6ca409fc2a279d4bd8e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 05:52:32 +0800 +Subject: drm/amd/display: Fix gpio port mapping issue + +From: Steve Su + +[ Upstream commit c0b2753f5db281b07013899c79b5f06a614055f9 ] + +[Why] +1. Port of gpio has different mapping. + +[How] +1. Add a dummy entry in mapping table. +2. Fix incorrect mask bit field access. + +Reviewed-by: Alvin Lee +Acked-by: Alan Liu +Signed-off-by: Steve Su +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/gpio/dcn32/hw_factory_dcn32.c | 14 ++++++++++++++ + drivers/gpu/drm/amd/display/dc/gpio/hw_ddc.c | 9 ++++++--- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c b/drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c +index d635b73af46f..0ea52ba5ac82 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c +@@ -107,6 +107,13 @@ static const struct ddc_registers ddc_data_regs_dcn[] = { + ddc_data_regs_dcn2(3), + ddc_data_regs_dcn2(4), + ddc_data_regs_dcn2(5), ++ { ++ // add a dummy entry for cases no such port ++ {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,}, ++ .ddc_setup = 0, ++ .phy_aux_cntl = 0, ++ .dc_gpio_aux_ctrl_5 = 0 ++ }, + { + DDC_GPIO_VGA_REG_LIST(DATA), + .ddc_setup = 0, +@@ -121,6 +128,13 @@ static const struct ddc_registers ddc_clk_regs_dcn[] = { + ddc_clk_regs_dcn2(3), + ddc_clk_regs_dcn2(4), + ddc_clk_regs_dcn2(5), ++ { ++ // add a dummy entry for cases no such port ++ {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,}, ++ .ddc_setup = 0, ++ .phy_aux_cntl = 0, ++ .dc_gpio_aux_ctrl_5 = 0 ++ }, + { + DDC_GPIO_VGA_REG_LIST(CLK), + .ddc_setup = 0, +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/hw_ddc.c b/drivers/gpu/drm/amd/display/dc/gpio/hw_ddc.c +index 6fd38cdd68c0..525bc8881950 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/hw_ddc.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/hw_ddc.c +@@ -94,11 +94,14 @@ static enum gpio_result set_config( + * is required for detection of AUX mode */ + if (hw_gpio->base.en != GPIO_DDC_LINE_VIP_PAD) { + if (!ddc_data_pd_en || !ddc_clk_pd_en) { +- +- REG_SET_2(gpio.MASK_reg, regval, ++ if (hw_gpio->base.en == GPIO_DDC_LINE_DDC_VGA) { ++ // bit 4 of mask has different usage in some cases ++ REG_SET(gpio.MASK_reg, regval, DC_GPIO_DDC1DATA_PD_EN, 1); ++ } else { ++ REG_SET_2(gpio.MASK_reg, regval, + DC_GPIO_DDC1DATA_PD_EN, 1, + DC_GPIO_DDC1CLK_PD_EN, 1); +- ++ } + if (config_data->type == + GPIO_CONFIG_TYPE_I2C_AUX_DUAL_MODE) + msleep(3); +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-only-fill-dirty-rectangles-when-psr-.patch b/queue-6.0/drm-amd-display-only-fill-dirty-rectangles-when-psr-.patch new file mode 100644 index 00000000000..e7b3631eef7 --- /dev/null +++ b/queue-6.0/drm-amd-display-only-fill-dirty-rectangles-when-psr-.patch @@ -0,0 +1,45 @@ +From 2569ceb357a504e3b1779e761a51f06f6997aedc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 12:06:27 -0500 +Subject: drm/amd/display: only fill dirty rectangles when PSR is enabled + +From: Hamza Mahfooz + +[ Upstream commit 675d84621a24490e1de3d59a4992a17fa9ff92b5 ] + +Currently, we are calling fill_dc_dirty_rects() even if PSR isn't +supported by the relevant link in amdgpu_dm_commit_planes(), this is +undesirable especially because when drm.debug is enabled we are printing +messages in fill_dc_dirty_rects() that are only useful for debugging PSR +(and confusing otherwise). So, we can instead limit the filling of dirty +rectangles to only when PSR is enabled. + +Reviewed-by: Leo Li +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 7f8eb09b0b7c..9ce100e315c5 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7650,9 +7650,10 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state, + bundle->surface_updates[planes_count].plane_info = + &bundle->plane_infos[planes_count]; + +- fill_dc_dirty_rects(plane, old_plane_state, new_plane_state, +- new_crtc_state, +- &bundle->flip_addrs[planes_count]); ++ if (acrtc_state->stream->link->psr_settings.psr_feature_enabled) ++ fill_dc_dirty_rects(plane, old_plane_state, ++ new_plane_state, new_crtc_state, ++ &bundle->flip_addrs[planes_count]); + + /* + * Only allow immediate flips for fast updates that don't +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-zeromem-mypipe-heap-struct-before-us.patch b/queue-6.0/drm-amd-display-zeromem-mypipe-heap-struct-before-us.patch new file mode 100644 index 00000000000..80e1be79b3c --- /dev/null +++ b/queue-6.0/drm-amd-display-zeromem-mypipe-heap-struct-before-us.patch @@ -0,0 +1,39 @@ +From 2d28939408cd8ce71c6f45321dd2333d0745b6aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Oct 2022 17:26:24 -0400 +Subject: drm/amd/display: Zeromem mypipe heap struct before using it + +From: Aurabindo Pillai + +[ Upstream commit ab4b35008db9b7ae747679250e5c26d7c3a90cea ] + +[Why&How] +Bug was caused when moving variable from stack to heap because it was reusable +and garbage was left over, so we need to zero mem. + +Reviewed-by: Martin Leung +Acked-by: Alan Liu +Signed-off-by: Aurabindo Pillai +Signed-off-by: Martin Leung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c +index bea380407151..042f9a62c4c5 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/display_mode_vba_32.c +@@ -3197,6 +3197,7 @@ void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l + mode_lib->vba.FCLKChangeLatency, mode_lib->vba.UrgLatency[i], + mode_lib->vba.SREnterPlusExitTime); + ++ memset(&v->dummy_vars.dml32_ModeSupportAndSystemConfigurationFull, 0, sizeof(DmlPipe)); + v->dummy_vars.dml32_ModeSupportAndSystemConfigurationFull.myPipe.Dppclk = mode_lib->vba.RequiredDPPCLK[i][j][k]; + v->dummy_vars.dml32_ModeSupportAndSystemConfigurationFull.myPipe.Dispclk = mode_lib->vba.RequiredDISPCLK[i][j]; + v->dummy_vars.dml32_ModeSupportAndSystemConfigurationFull.myPipe.PixelClock = mode_lib->vba.PixelClock[k]; +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-drop-eviction-lock-when-allocating-pt-bo.patch b/queue-6.0/drm-amdgpu-drop-eviction-lock-when-allocating-pt-bo.patch new file mode 100644 index 00000000000..a087ae46b0c --- /dev/null +++ b/queue-6.0/drm-amdgpu-drop-eviction-lock-when-allocating-pt-bo.patch @@ -0,0 +1,117 @@ +From 1571896a0d84ec3a578f5d94c3f18043f35410a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 16:55:31 -0400 +Subject: drm/amdgpu: Drop eviction lock when allocating PT BO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +[ Upstream commit e034a0d9aaee5c9129d5dfdfdfcab988a953412d ] + +Re-take the eviction lock immediately again after the allocation is +completed, to fix circular locking warning with drm_buddy allocator. + +Move amdgpu_vm_eviction_lock/unlock/trylock to amdgpu_vm.h as they are +called from multiple files. + +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 26 ----------------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 26 +++++++++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 2 ++ + 3 files changed, 28 insertions(+), 26 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index 04130f8813ef..369c0d03e3c6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -143,32 +143,6 @@ int amdgpu_vm_set_pasid(struct amdgpu_device *adev, struct amdgpu_vm *vm, + return 0; + } + +-/* +- * vm eviction_lock can be taken in MMU notifiers. Make sure no reclaim-FS +- * happens while holding this lock anywhere to prevent deadlocks when +- * an MMU notifier runs in reclaim-FS context. +- */ +-static inline void amdgpu_vm_eviction_lock(struct amdgpu_vm *vm) +-{ +- mutex_lock(&vm->eviction_lock); +- vm->saved_flags = memalloc_noreclaim_save(); +-} +- +-static inline int amdgpu_vm_eviction_trylock(struct amdgpu_vm *vm) +-{ +- if (mutex_trylock(&vm->eviction_lock)) { +- vm->saved_flags = memalloc_noreclaim_save(); +- return 1; +- } +- return 0; +-} +- +-static inline void amdgpu_vm_eviction_unlock(struct amdgpu_vm *vm) +-{ +- memalloc_noreclaim_restore(vm->saved_flags); +- mutex_unlock(&vm->eviction_lock); +-} +- + /** + * amdgpu_vm_bo_evicted - vm_bo is evicted + * +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h +index 278512535b51..39d2898caede 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h +@@ -503,4 +503,30 @@ static inline uint64_t amdgpu_vm_tlb_seq(struct amdgpu_vm *vm) + return atomic64_read(&vm->tlb_seq); + } + ++/* ++ * vm eviction_lock can be taken in MMU notifiers. Make sure no reclaim-FS ++ * happens while holding this lock anywhere to prevent deadlocks when ++ * an MMU notifier runs in reclaim-FS context. ++ */ ++static inline void amdgpu_vm_eviction_lock(struct amdgpu_vm *vm) ++{ ++ mutex_lock(&vm->eviction_lock); ++ vm->saved_flags = memalloc_noreclaim_save(); ++} ++ ++static inline bool amdgpu_vm_eviction_trylock(struct amdgpu_vm *vm) ++{ ++ if (mutex_trylock(&vm->eviction_lock)) { ++ vm->saved_flags = memalloc_noreclaim_save(); ++ return true; ++ } ++ return false; ++} ++ ++static inline void amdgpu_vm_eviction_unlock(struct amdgpu_vm *vm) ++{ ++ memalloc_noreclaim_restore(vm->saved_flags); ++ mutex_unlock(&vm->eviction_lock); ++} ++ + #endif +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c +index 88de9f0d4728..983899574464 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c +@@ -597,7 +597,9 @@ static int amdgpu_vm_pt_alloc(struct amdgpu_device *adev, + if (entry->bo) + return 0; + ++ amdgpu_vm_eviction_unlock(vm); + r = amdgpu_vm_pt_create(adev, vm, cursor->level, immediate, &pt); ++ amdgpu_vm_eviction_lock(vm); + if (r) + return r; + +-- +2.35.1 + diff --git a/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch new file mode 100644 index 00000000000..1145b960874 --- /dev/null +++ b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch @@ -0,0 +1,43 @@ +From 645a1766feab30fc95eb43e651994079077cc035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Nov 2022 22:50:52 +0100 +Subject: drm: panel-orientation-quirks: Add quirk for Acer Switch V 10 + (SW5-017) + +From: Hans de Goede + +[ Upstream commit 653f2d94fcda200b02bd79cea2e0307b26c1b747 ] + +Like the Acer Switch One 10 S1003, for which there already is a quirk, +the Acer Switch V 10 (SW5-017) has a 800x1280 portrait screen mounted +in the tablet part of a landscape oriented 2-in-1. Add a quirk for this. + +Cc: Rudolf Polzer +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20221106215052.66995-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index f0f6fa306521..52d8800a8ab8 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -134,6 +134,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Acer Switch V 10 (SW5-017) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SW5-017"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* Anbernic Win600 */ + .matches = { + DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"), +-- +2.35.1 + diff --git a/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-nanote-um.patch b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-nanote-um.patch new file mode 100644 index 00000000000..f35a301ba0e --- /dev/null +++ b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-nanote-um.patch @@ -0,0 +1,40 @@ +From df87b494c69e2787df1ab30a6e23164abb6ef5b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 15:32:58 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for Nanote UMPC-01 + +From: Hans de Goede + +[ Upstream commit 308451d9c7fece33d9551230cb8e5eb7f3914988 ] + +The Nanote UMPC-01 is a mini laptop with a 1200x1920 portrait screen +mounted in a landscape oriented clamshell case. Add a quirk for this. + +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20220919133258.711639-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 8a0c0e0bb5bd..f0f6fa306521 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -319,6 +319,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_MATCH(DMI_BIOS_VERSION, "BLADE_21"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Nanote UMPC-01 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "RWC CO.,LTD"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "UMPC-01"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* OneGX1 Pro */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SYSTEM_MANUFACTURER"), +-- +2.35.1 + diff --git a/queue-6.0/io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch b/queue-6.0/io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch new file mode 100644 index 00000000000..1562c88ca69 --- /dev/null +++ b/queue-6.0/io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch @@ -0,0 +1,35 @@ +From e2e9ab01df693f00442fc1d3868bb92c3e9d06c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 16:51:30 +0000 +Subject: io_uring/poll: lockdep annote io_poll_req_insert_locked + +From: Pavel Begunkov + +[ Upstream commit 5576035f15dfcc6cb1cec236db40c2c0733b0ba4 ] + +Add a lockdep annotation in io_poll_req_insert_locked(). + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/8115d8e702733754d0aea119e9b5bb63d1eb8b24.1668184658.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/poll.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/io_uring/poll.c b/io_uring/poll.c +index ba0f68466930..055632e9092a 100644 +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -116,6 +116,8 @@ static void io_poll_req_insert_locked(struct io_kiocb *req) + struct io_hash_table *table = &req->ctx->cancel_table_locked; + u32 index = hash_long(req->cqe.user_data, table->hash_bits); + ++ lockdep_assert_held(&req->ctx->uring_lock); ++ + hlist_add_head(&req->hash_node, &table->hbs[index].list); + } + +-- +2.35.1 + diff --git a/queue-6.0/mips-pic32-treat-port-as-signed-integer.patch b/queue-6.0/mips-pic32-treat-port-as-signed-integer.patch new file mode 100644 index 00000000000..36622553445 --- /dev/null +++ b/queue-6.0/mips-pic32-treat-port-as-signed-integer.patch @@ -0,0 +1,105 @@ +From 104fe776e9944faf826215b138bf2a3efe64f9e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 15:23:44 +0200 +Subject: MIPS: pic32: treat port as signed integer + +From: Jason A. Donenfeld + +[ Upstream commit 648060902aa302331b5d6e4f26d8ee0761d239ab ] + +get_port_from_cmdline() returns an int, yet is assigned to a char, which +is wrong in its own right, but also, with char becoming unsigned, this +poses problems, because -1 is used as an error value. Further +complicating things, fw_init_early_console() is only ever called with a +-1 argument. Fix this up by removing the unused argument from +fw_init_early_console() and treating port as a proper signed integer. + +Cc: Thomas Bogendoerfer +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/fw/fw.h | 2 +- + arch/mips/pic32/pic32mzda/early_console.c | 13 ++++++------- + arch/mips/pic32/pic32mzda/init.c | 2 +- + 3 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/arch/mips/include/asm/fw/fw.h b/arch/mips/include/asm/fw/fw.h +index d0ef8b4892bb..d0494ce4b337 100644 +--- a/arch/mips/include/asm/fw/fw.h ++++ b/arch/mips/include/asm/fw/fw.h +@@ -26,6 +26,6 @@ extern char *fw_getcmdline(void); + extern void fw_meminit(void); + extern char *fw_getenv(char *name); + extern unsigned long fw_getenvl(char *name); +-extern void fw_init_early_console(char port); ++extern void fw_init_early_console(void); + + #endif /* __ASM_FW_H_ */ +diff --git a/arch/mips/pic32/pic32mzda/early_console.c b/arch/mips/pic32/pic32mzda/early_console.c +index 25372e62783b..3cd1b408fa1c 100644 +--- a/arch/mips/pic32/pic32mzda/early_console.c ++++ b/arch/mips/pic32/pic32mzda/early_console.c +@@ -27,7 +27,7 @@ + #define U_BRG(x) (UART_BASE(x) + 0x40) + + static void __iomem *uart_base; +-static char console_port = -1; ++static int console_port = -1; + + static int __init configure_uart_pins(int port) + { +@@ -47,7 +47,7 @@ static int __init configure_uart_pins(int port) + return 0; + } + +-static void __init configure_uart(char port, int baud) ++static void __init configure_uart(int port, int baud) + { + u32 pbclk; + +@@ -60,7 +60,7 @@ static void __init configure_uart(char port, int baud) + uart_base + PIC32_SET(U_STA(port))); + } + +-static void __init setup_early_console(char port, int baud) ++static void __init setup_early_console(int port, int baud) + { + if (configure_uart_pins(port)) + return; +@@ -130,16 +130,15 @@ static int __init get_baud_from_cmdline(char *arch_cmdline) + return baud; + } + +-void __init fw_init_early_console(char port) ++void __init fw_init_early_console(void) + { + char *arch_cmdline = pic32_getcmdline(); +- int baud = -1; ++ int baud, port; + + uart_base = ioremap(PIC32_BASE_UART, 0xc00); + + baud = get_baud_from_cmdline(arch_cmdline); +- if (port == -1) +- port = get_port_from_cmdline(arch_cmdline); ++ port = get_port_from_cmdline(arch_cmdline); + + if (port == -1) + port = EARLY_CONSOLE_PORT; +diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c +index d9c8c4e46aff..58d8ca730df7 100644 +--- a/arch/mips/pic32/pic32mzda/init.c ++++ b/arch/mips/pic32/pic32mzda/init.c +@@ -47,7 +47,7 @@ void __init plat_mem_setup(void) + strlcpy(arcs_cmdline, boot_command_line, COMMAND_LINE_SIZE); + + #ifdef CONFIG_EARLY_PRINTK +- fw_init_early_console(-1); ++ fw_init_early_console(); + #endif + pic32_config_init(); + } +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-errors.patch b/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-errors.patch new file mode 100644 index 00000000000..bfd6124175d --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-kernel-test-robot-reported-errors.patch @@ -0,0 +1,48 @@ +From 9468b8c269bc49fb1c030e7e1e0db94749223ac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 13:05:24 +0530 +Subject: net: wwan: iosm: fix kernel test robot reported errors + +From: M Chetan Kumar + +[ Upstream commit 980ec04a88c9f0046c1da65833fb77b2ffa34b04 ] + +Include linux/vmalloc.h in iosm_ipc_coredump.c & +iosm_ipc_devlink.c to resolve kernel test robot errors. + +Reported-by: kernel test robot +Signed-off-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_coredump.c | 1 + + drivers/net/wwan/iosm/iosm_ipc_devlink.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_coredump.c b/drivers/net/wwan/iosm/iosm_ipc_coredump.c +index 9acd87724c9d..26ca30476f40 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_coredump.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_coredump.c +@@ -2,6 +2,7 @@ + /* + * Copyright (C) 2020-2021 Intel Corporation. + */ ++#include + + #include "iosm_ipc_coredump.h" + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_devlink.c b/drivers/net/wwan/iosm/iosm_ipc_devlink.c +index 17da85a8f337..2fe724d623c0 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_devlink.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_devlink.c +@@ -2,6 +2,7 @@ + /* + * Copyright (C) 2020-2021 Intel Corporation. + */ ++#include + + #include "iosm_ipc_chnl_cfg.h" + #include "iosm_ipc_coredump.h" +-- +2.35.1 + diff --git a/queue-6.0/nvme-quiet-user-passthrough-command-errors.patch b/queue-6.0/nvme-quiet-user-passthrough-command-errors.patch new file mode 100644 index 00000000000..aa24183c4b8 --- /dev/null +++ b/queue-6.0/nvme-quiet-user-passthrough-command-errors.patch @@ -0,0 +1,82 @@ +From c328de00e9f22d58506840521563368c3a59958c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 13:14:15 -0700 +Subject: nvme: quiet user passthrough command errors + +From: Keith Busch + +[ Upstream commit d7ac8dca938cd60cf7bd9a89a229a173c6bcba87 ] + +The driver is spamming the kernel logs for entirely harmless errors from +user space submitting unsupported commands. Just silence the errors. +The application has direct access to command status, so there's no need +to log these. + +And since every passthrough command now uses the quiet flag, move the +setting to the common initializer. + +Signed-off-by: Keith Busch +Reviewed-by: Alan Adamson +Reviewed-by: Jens Axboe +Reviewed-by: Kanchan Joshi +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Daniel Wagner +Tested-by: Alan Adamson +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 3 +-- + drivers/nvme/host/pci.c | 2 -- + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ed47c256dbd2..01c36284e542 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -675,6 +675,7 @@ void nvme_init_request(struct request *req, struct nvme_command *cmd) + if (req->mq_hctx->type == HCTX_TYPE_POLL) + req->cmd_flags |= REQ_POLLED; + nvme_clear_nvme_request(req); ++ req->rq_flags |= RQF_QUIET; + memcpy(nvme_req(req)->cmd, cmd, sizeof(*cmd)); + } + EXPORT_SYMBOL_GPL(nvme_init_request); +@@ -1037,7 +1038,6 @@ int __nvme_submit_sync_cmd(struct request_queue *q, struct nvme_command *cmd, + goto out; + } + +- req->rq_flags |= RQF_QUIET; + ret = nvme_execute_rq(req, at_head); + if (result && ret >= 0) + *result = nvme_req(req)->result; +@@ -1225,7 +1225,6 @@ static void nvme_keep_alive_work(struct work_struct *work) + rq->timeout = ctrl->kato * HZ; + rq->end_io = nvme_keep_alive_end_io; + rq->end_io_data = ctrl; +- rq->rq_flags |= RQF_QUIET; + blk_execute_rq_nowait(rq, false); + } + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 1a6423e94eb3..0f34114c4596 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1438,7 +1438,6 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req) + + abort_req->end_io = abort_endio; + abort_req->end_io_data = NULL; +- abort_req->rq_flags |= RQF_QUIET; + blk_execute_rq_nowait(abort_req, false); + + /* +@@ -2489,7 +2488,6 @@ static int nvme_delete_queue(struct nvme_queue *nvmeq, u8 opcode) + req->end_io_data = nvmeq; + + init_completion(&nvmeq->delete_done); +- req->rq_flags |= RQF_QUIET; + blk_execute_rq_nowait(req, false); + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/nvmet-fix-memory-leak-in-nvmet_subsys_attr_model_sto.patch b/queue-6.0/nvmet-fix-memory-leak-in-nvmet_subsys_attr_model_sto.patch new file mode 100644 index 00000000000..31582bd2047 --- /dev/null +++ b/queue-6.0/nvmet-fix-memory-leak-in-nvmet_subsys_attr_model_sto.patch @@ -0,0 +1,51 @@ +From bca56d9e4383096c4d817d2f378e535b9643bf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 12:31:33 +0400 +Subject: nvmet: fix memory leak in nvmet_subsys_attr_model_store_locked + +From: Aleksandr Miloserdov + +[ Upstream commit becc4cac309dc867571f0080fde4426a6c2222e0 ] + +Since model_number is allocated before it needs to be freed before +kmemdump_nul. + +Reviewed-by: Konstantin Shelekhin +Reviewed-by: Dmitriy Bogdanov +Signed-off-by: Aleksandr Miloserdov +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index 7f52d9dac443..a79eadb953de 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -1215,6 +1215,7 @@ static ssize_t nvmet_subsys_attr_model_store_locked(struct nvmet_subsys *subsys, + const char *page, size_t count) + { + int pos = 0, len; ++ char *val; + + if (subsys->subsys_discovered) { + pr_err("Can't set model number. %s is already assigned\n", +@@ -1237,9 +1238,11 @@ static ssize_t nvmet_subsys_attr_model_store_locked(struct nvmet_subsys *subsys, + return -EINVAL; + } + +- subsys->model_number = kmemdup_nul(page, len, GFP_KERNEL); +- if (!subsys->model_number) ++ val = kmemdup_nul(page, len, GFP_KERNEL); ++ if (!val) + return -ENOMEM; ++ kfree(subsys->model_number); ++ subsys->model_number = val; + return count; + } + +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-ideapad-laptop-disable-touchpad_switch.patch b/queue-6.0/platform-x86-ideapad-laptop-disable-touchpad_switch.patch new file mode 100644 index 00000000000..45a5befc664 --- /dev/null +++ b/queue-6.0/platform-x86-ideapad-laptop-disable-touchpad_switch.patch @@ -0,0 +1,70 @@ +From 160b2f49cc5a1ad462147e8e9d75861003e7a57e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 17:53:23 +0800 +Subject: platform/x86: ideapad-laptop: Disable touchpad_switch + +From: Manyi Li + +[ Upstream commit a231224a601c1924b9df620281ad04472900d75f ] + +Ideapads for "Lenovo Yoga 3 Pro 1370" and "ZhaoYang K4e-IML" do not +use EC to switch touchpad. + +Reading VPCCMD_R_TOUCHPAD will return zero thus touchpad may be blocked +unexpectedly. + +Signed-off-by: Manyi Li +Link: https://lore.kernel.org/r/20221018095323.14591-1-limanyi@uniontech.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ideapad-laptop.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index abd0c81d62c4..33b3dfdd1b08 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -1533,6 +1533,24 @@ static const struct dmi_system_id hw_rfkill_list[] = { + {} + }; + ++static const struct dmi_system_id no_touchpad_switch_list[] = { ++ { ++ .ident = "Lenovo Yoga 3 Pro 1370", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3"), ++ }, ++ }, ++ { ++ .ident = "ZhaoYang K4e-IML", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ZhaoYang K4e-IML"), ++ }, ++ }, ++ {} ++}; ++ + static void ideapad_check_features(struct ideapad_private *priv) + { + acpi_handle handle = priv->adev->handle; +@@ -1541,7 +1559,12 @@ static void ideapad_check_features(struct ideapad_private *priv) + priv->features.hw_rfkill_switch = dmi_check_system(hw_rfkill_list); + + /* Most ideapads with ELAN0634 touchpad don't use EC touchpad switch */ +- priv->features.touchpad_ctrl_via_ec = !acpi_dev_present("ELAN0634", NULL, -1); ++ if (acpi_dev_present("ELAN0634", NULL, -1)) ++ priv->features.touchpad_ctrl_via_ec = 0; ++ else if (dmi_check_system(no_touchpad_switch_list)) ++ priv->features.touchpad_ctrl_via_ec = 0; ++ else ++ priv->features.touchpad_ctrl_via_ec = 1; + + if (!read_ec_data(handle, VPCCMD_R_FAN, &val)) + priv->features.fan_mode = true; +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-intel-hid-add-some-acpi-device-ids.patch b/queue-6.0/platform-x86-intel-hid-add-some-acpi-device-ids.patch new file mode 100644 index 00000000000..c01547a175d --- /dev/null +++ b/queue-6.0/platform-x86-intel-hid-add-some-acpi-device-ids.patch @@ -0,0 +1,38 @@ +From 4b4af84e7c96de00248472adba351c83d9c3b51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 10:05:48 +0800 +Subject: platform/x86/intel/hid: Add some ACPI device IDs + +From: Ivan Hu + +[ Upstream commit a977ece5773b6746b814aac410da4776023db239 ] + +Add INTC1076 (JasonLake), INTC1077 (MeteorLake) and INTC1078 (RaptorLake) +devices IDs. + +Signed-off-by: Ivan Hu +Link: https://lore.kernel.org/r/20221102020548.5225-1-ivan.hu@canonical.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/hid.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c +index 79cff1fc675c..b6313ecd190c 100644 +--- a/drivers/platform/x86/intel/hid.c ++++ b/drivers/platform/x86/intel/hid.c +@@ -27,6 +27,9 @@ static const struct acpi_device_id intel_hid_ids[] = { + {"INTC1051", 0}, + {"INTC1054", 0}, + {"INTC1070", 0}, ++ {"INTC1076", 0}, ++ {"INTC1077", 0}, ++ {"INTC1078", 0}, + {"", 0}, + }; + MODULE_DEVICE_TABLE(acpi, intel_hid_ids); +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-intel-pmt-sapphire-rapids-pmt-errata-fi.patch b/queue-6.0/platform-x86-intel-pmt-sapphire-rapids-pmt-errata-fi.patch new file mode 100644 index 00000000000..a5c2a236cd7 --- /dev/null +++ b/queue-6.0/platform-x86-intel-pmt-sapphire-rapids-pmt-errata-fi.patch @@ -0,0 +1,88 @@ +From cdcbf08c73c96aafdf3f35e33a07d018bf12498e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 20:42:28 -0700 +Subject: platform/x86/intel/pmt: Sapphire Rapids PMT errata fix + +From: David E. Box + +[ Upstream commit bcdfa1f77ea7f67368d20384932a9d1e3047ddd2 ] + +On Sapphire Rapids, due to a hardware issue affecting the PUNIT telemetry +region, reads that are not done in QWORD quantities and alignment may +return incorrect data. Use a custom 64-bit copy for this region. + +Signed-off-by: David E. Box +Link: https://lore.kernel.org/r/20221105034228.1376677-1-david.e.box@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmt/class.c | 31 +++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c +index 53d7fd2943b4..46598dcb634a 100644 +--- a/drivers/platform/x86/intel/pmt/class.c ++++ b/drivers/platform/x86/intel/pmt/class.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -19,6 +20,7 @@ + #define PMT_XA_START 0 + #define PMT_XA_MAX INT_MAX + #define PMT_XA_LIMIT XA_LIMIT(PMT_XA_START, PMT_XA_MAX) ++#define GUID_SPR_PUNIT 0x9956f43f + + bool intel_pmt_is_early_client_hw(struct device *dev) + { +@@ -33,6 +35,29 @@ bool intel_pmt_is_early_client_hw(struct device *dev) + } + EXPORT_SYMBOL_GPL(intel_pmt_is_early_client_hw); + ++static inline int ++pmt_memcpy64_fromio(void *to, const u64 __iomem *from, size_t count) ++{ ++ int i, remain; ++ u64 *buf = to; ++ ++ if (!IS_ALIGNED((unsigned long)from, 8)) ++ return -EFAULT; ++ ++ for (i = 0; i < count/8; i++) ++ buf[i] = readq(&from[i]); ++ ++ /* Copy any remaining bytes */ ++ remain = count % 8; ++ if (remain) { ++ u64 tmp = readq(&from[i]); ++ ++ memcpy(&buf[i], &tmp, remain); ++ } ++ ++ return count; ++} ++ + /* + * sysfs + */ +@@ -54,7 +79,11 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, + if (count > entry->size - off) + count = entry->size - off; + +- memcpy_fromio(buf, entry->base + off, count); ++ if (entry->guid == GUID_SPR_PUNIT) ++ /* PUNIT on SPR only supports aligned 64-bit read */ ++ count = pmt_memcpy64_fromio(buf, entry->base + off, count); ++ else ++ memcpy_fromio(buf, entry->base + off, count); + + return count; + } +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-touchscreen_dmi-add-info-for-the-rca-ca.patch b/queue-6.0/platform-x86-touchscreen_dmi-add-info-for-the-rca-ca.patch new file mode 100644 index 00000000000..5e850ec824f --- /dev/null +++ b/queue-6.0/platform-x86-touchscreen_dmi-add-info-for-the-rca-ca.patch @@ -0,0 +1,66 @@ +From 2ce96303c5ff5e120b24471c51c4ca9f142259aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 16:11:31 +0200 +Subject: platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 + 2-in-1 + +From: Hans de Goede + +[ Upstream commit 0df044b34bf33e7e35c32b3bf6747fde6279c162 ] + +Add touchscreen info for the RCA Cambio W101 v2 2-in-1. + +Link: https://github.com/onitake/gsl-firmware/discussions/193 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20221025141131.509211-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index bc97bfa8e8a6..baae3120efd0 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -770,6 +770,22 @@ static const struct ts_dmi_data predia_basic_data = { + .properties = predia_basic_props, + }; + ++static const struct property_entry rca_cambio_w101_v2_props[] = { ++ PROPERTY_ENTRY_U32("touchscreen-min-x", 4), ++ PROPERTY_ENTRY_U32("touchscreen-min-y", 20), ++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1644), ++ PROPERTY_ENTRY_U32("touchscreen-size-y", 874), ++ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"), ++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-rca-cambio-w101-v2.fw"), ++ PROPERTY_ENTRY_U32("silead,max-fingers", 10), ++ { } ++}; ++ ++static const struct ts_dmi_data rca_cambio_w101_v2_data = { ++ .acpi_name = "MSSL1680:00", ++ .properties = rca_cambio_w101_v2_props, ++}; ++ + static const struct property_entry rwc_nanote_p8_props[] = { + PROPERTY_ENTRY_U32("touchscreen-min-y", 46), + PROPERTY_ENTRY_U32("touchscreen-size-x", 1728), +@@ -1409,6 +1425,15 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "0E57"), + }, + }, ++ { ++ /* RCA Cambio W101 v2 */ ++ /* https://github.com/onitake/gsl-firmware/discussions/193 */ ++ .driver_data = (void *)&rca_cambio_w101_v2_data, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "RCA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "W101SA23T1"), ++ }, ++ }, + { + /* RWC NANOTE P8 */ + .driver_data = (void *)&rwc_nanote_p8_data, +-- +2.35.1 + diff --git a/queue-6.0/revert-drm-amdgpu-revert-drm-amdgpu-getting-fan-spee.patch b/queue-6.0/revert-drm-amdgpu-revert-drm-amdgpu-getting-fan-spee.patch new file mode 100644 index 00000000000..bf3b073cf68 --- /dev/null +++ b/queue-6.0/revert-drm-amdgpu-revert-drm-amdgpu-getting-fan-spee.patch @@ -0,0 +1,65 @@ +From 037f4f8c73dab4d510ad793cdbaca6bc1824a198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 18:28:40 +0800 +Subject: Revert "drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for + vega10 properly"" + +From: Asher Song + +[ Upstream commit 30b8e7b8ee3be003e0df85c857c5cd0e0bd58b82 ] + +This reverts commit 4545ae2ed3f2f7c3f615a53399c9c8460ee5bca7. + +The origin patch "drm/amdgpu: getting fan speed pwm for vega10 properly" works fine. +Test failure is caused by test case self. + +Signed-off-by: Asher Song +Reviewed-by: Guchun Chen +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/pm/powerplay/hwmgr/vega10_thermal.c | 25 +++++++++---------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c +index dad3e3741a4e..190af79f3236 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_thermal.c +@@ -67,22 +67,21 @@ int vega10_fan_ctrl_get_fan_speed_info(struct pp_hwmgr *hwmgr, + int vega10_fan_ctrl_get_fan_speed_pwm(struct pp_hwmgr *hwmgr, + uint32_t *speed) + { +- uint32_t current_rpm; +- uint32_t percent = 0; +- +- if (hwmgr->thermal_controller.fanInfo.bNoFan) +- return 0; ++ struct amdgpu_device *adev = hwmgr->adev; ++ uint32_t duty100, duty; ++ uint64_t tmp64; + +- if (vega10_get_current_rpm(hwmgr, ¤t_rpm)) +- return -1; ++ duty100 = REG_GET_FIELD(RREG32_SOC15(THM, 0, mmCG_FDO_CTRL1), ++ CG_FDO_CTRL1, FMAX_DUTY100); ++ duty = REG_GET_FIELD(RREG32_SOC15(THM, 0, mmCG_THERMAL_STATUS), ++ CG_THERMAL_STATUS, FDO_PWM_DUTY); + +- if (hwmgr->thermal_controller. +- advanceFanControlParameters.usMaxFanRPM != 0) +- percent = current_rpm * 255 / +- hwmgr->thermal_controller. +- advanceFanControlParameters.usMaxFanRPM; ++ if (!duty100) ++ return -EINVAL; + +- *speed = MIN(percent, 255); ++ tmp64 = (uint64_t)duty * 255; ++ do_div(tmp64, duty100); ++ *speed = MIN((uint32_t)tmp64, 255); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/revert-net-macsec-report-real_dev-features-when-hw-o.patch b/queue-6.0/revert-net-macsec-report-real_dev-features-when-hw-o.patch new file mode 100644 index 00000000000..127ef2f0bd5 --- /dev/null +++ b/queue-6.0/revert-net-macsec-report-real_dev-features-when-hw-o.patch @@ -0,0 +1,114 @@ +From 6b65687dc2a60934e6904b4f8f236c4d29c19dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 22:33:12 +0100 +Subject: Revert "net: macsec: report real_dev features when HW offloading is + enabled" + +From: Sabrina Dubroca + +[ Upstream commit 8bcd560ae8784da57c610d857118c5d6576b1a8f ] + +This reverts commit c850240b6c4132574a00f2da439277ab94265b66. + +That commit tried to improve the performance of macsec offload by +taking advantage of some of the NIC's features, but in doing so, broke +macsec offload when the lower device supports both macsec and ipsec +offload, as the ipsec offload feature flags (mainly NETIF_F_HW_ESP) +were copied from the real device. Since the macsec device doesn't +provide xdo_* ops, the XFRM core rejects the registration of the new +macsec device in xfrm_api_check. + +Example perf trace when running + ip link add link eni1np1 type macsec port 4 offload mac + + ip 737 [003] 795.477676: probe:xfrm_dev_event__REGISTER name="macsec0" features=0x1c000080014869 + xfrm_dev_event+0x3a + notifier_call_chain+0x47 + register_netdevice+0x846 + macsec_newlink+0x25a + + ip 737 [003] 795.477687: probe:xfrm_dev_event__return ret=0x8002 (NOTIFY_BAD) + notifier_call_chain+0x47 + register_netdevice+0x846 + macsec_newlink+0x25a + +dev->features includes NETIF_F_HW_ESP (0x04000000000000), so +xfrm_api_check returns NOTIFY_BAD because we don't have +dev->xfrmdev_ops on the macsec device. + +We could probably propagate GSO and a few other features from the +lower device, similar to macvlan. This will be done in a future patch. + +Signed-off-by: Sabrina Dubroca +Reviewed-by: Antoine Tenart +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 27 ++++----------------------- + 1 file changed, 4 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index ddfa853ec9b5..d145ad189778 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2685,11 +2685,6 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) + if (ret) + goto rollback; + +- /* Force features update, since they are different for SW MACSec and +- * HW offloading cases. +- */ +- netdev_update_features(dev); +- + rtnl_unlock(); + return 0; + +@@ -3457,16 +3452,9 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, + return ret; + } + +-#define SW_MACSEC_FEATURES \ ++#define MACSEC_FEATURES \ + (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) + +-/* If h/w offloading is enabled, use real device features save for +- * VLAN_FEATURES - they require additional ops +- * HW_MACSEC - no reason to report it +- */ +-#define REAL_DEV_FEATURES(dev) \ +- ((dev)->features & ~(NETIF_F_VLAN_FEATURES | NETIF_F_HW_MACSEC)) +- + static int macsec_dev_init(struct net_device *dev) + { + struct macsec_dev *macsec = macsec_priv(dev); +@@ -3483,12 +3471,8 @@ static int macsec_dev_init(struct net_device *dev) + return err; + } + +- if (macsec_is_offloaded(macsec)) { +- dev->features = REAL_DEV_FEATURES(real_dev); +- } else { +- dev->features = real_dev->features & SW_MACSEC_FEATURES; +- dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE; +- } ++ dev->features = real_dev->features & MACSEC_FEATURES; ++ dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE; + + dev->needed_headroom = real_dev->needed_headroom + + MACSEC_NEEDED_HEADROOM; +@@ -3520,10 +3504,7 @@ static netdev_features_t macsec_fix_features(struct net_device *dev, + struct macsec_dev *macsec = macsec_priv(dev); + struct net_device *real_dev = macsec->real_dev; + +- if (macsec_is_offloaded(macsec)) +- return REAL_DEV_FEATURES(real_dev); +- +- features &= (real_dev->features & SW_MACSEC_FEATURES) | ++ features &= (real_dev->features & MACSEC_FEATURES) | + NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES; + features |= NETIF_F_LLTX; + +-- +2.35.1 + diff --git a/queue-6.0/risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch b/queue-6.0/risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch new file mode 100644 index 00000000000..63d96324d25 --- /dev/null +++ b/queue-6.0/risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch @@ -0,0 +1,69 @@ +From 16a85cc64502dc1ba4fe2b24b864b78576766b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 10:13:23 -0700 +Subject: RISC-V: vdso: Do not add missing symbols to version section in linker + script + +From: Nathan Chancellor + +[ Upstream commit fcae44fd36d052e956e69a64642fc03820968d78 ] + +Recently, ld.lld moved from '--undefined-version' to +'--no-undefined-version' as the default, which breaks the compat vDSO +build: + + ld.lld: error: version script assignment of 'LINUX_4.15' to symbol '__vdso_gettimeofday' failed: symbol not defined + ld.lld: error: version script assignment of 'LINUX_4.15' to symbol '__vdso_clock_gettime' failed: symbol not defined + ld.lld: error: version script assignment of 'LINUX_4.15' to symbol '__vdso_clock_getres' failed: symbol not defined + +These symbols are not present in the compat vDSO or the regular vDSO for +32-bit but they are unconditionally included in the version section of +the linker script, which is prohibited with '--no-undefined-version'. + +Fix this issue by only including the symbols that are actually exported +in the version section of the linker script. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1756 +Signed-off-by: Nathan Chancellor +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20221108171324.3377226-1-nathan@kernel.org/ +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/vdso/Makefile | 3 +++ + arch/riscv/kernel/vdso/vdso.lds.S | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile +index 84ac0fe612e7..db6548509bb3 100644 +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -28,6 +28,9 @@ obj-vdso := $(addprefix $(obj)/, $(obj-vdso)) + + obj-y += vdso.o + CPPFLAGS_vdso.lds += -P -C -U$(ARCH) ++ifneq ($(filter vgettimeofday, $(vdso-syms)),) ++CPPFLAGS_vdso.lds += -DHAS_VGETTIMEOFDAY ++endif + + # Disable -pg to prevent insert call site + CFLAGS_REMOVE_vgettimeofday.o = $(CC_FLAGS_FTRACE) +diff --git a/arch/riscv/kernel/vdso/vdso.lds.S b/arch/riscv/kernel/vdso/vdso.lds.S +index 01d94aae5bf5..150b1a572e61 100644 +--- a/arch/riscv/kernel/vdso/vdso.lds.S ++++ b/arch/riscv/kernel/vdso/vdso.lds.S +@@ -68,9 +68,11 @@ VERSION + LINUX_4.15 { + global: + __vdso_rt_sigreturn; ++#ifdef HAS_VGETTIMEOFDAY + __vdso_gettimeofday; + __vdso_clock_gettime; + __vdso_clock_getres; ++#endif + __vdso_getcpu; + __vdso_flush_icache; + local: *; +-- +2.35.1 + diff --git a/queue-6.0/riscv-dts-sifive-unleashed-add-pwm-controlled-leds.patch b/queue-6.0/riscv-dts-sifive-unleashed-add-pwm-controlled-leds.patch new file mode 100644 index 00000000000..130de92a07e --- /dev/null +++ b/queue-6.0/riscv-dts-sifive-unleashed-add-pwm-controlled-leds.patch @@ -0,0 +1,83 @@ +From 3bba7b4a334041a77b2a50baf7886b0dbcb4ef42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Oct 2022 13:09:28 +0200 +Subject: riscv: dts: sifive unleashed: Add PWM controlled LEDs + +From: Emil Renner Berthing + +[ Upstream commit 8bc8824d30193eb7755043d5bb65fa7f0d11a595 ] + +This adds the 4 PWM controlled green LEDs to the HiFive Unleashed device +tree. The schematic doesn't specify any special function for the LEDs, +so they're added here without any default triggers and named d1, d2, d3 +and d4 just like in the schematic. + +Signed-off-by: Emil Renner Berthing +Reviewed-by: Conor Dooley +Tested-by: Conor Dooley +Link: https://lore.kernel.org/r/20221012110928.352910-1-emil.renner.berthing@canonical.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + .../boot/dts/sifive/hifive-unleashed-a00.dts | 38 +++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts b/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts +index ced0d4e47938..900a50526d77 100644 +--- a/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts ++++ b/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts +@@ -3,6 +3,8 @@ + + #include "fu540-c000.dtsi" + #include ++#include ++#include + + /* Clock frequency (in Hz) of the PCB crystal for rtcclk */ + #define RTCCLK_FREQ 1000000 +@@ -42,6 +44,42 @@ gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpio 10 GPIO_ACTIVE_LOW>; + }; ++ ++ led-controller { ++ compatible = "pwm-leds"; ++ ++ led-d1 { ++ pwms = <&pwm0 0 7812500 PWM_POLARITY_INVERTED>; ++ active-low; ++ color = ; ++ max-brightness = <255>; ++ label = "d1"; ++ }; ++ ++ led-d2 { ++ pwms = <&pwm0 1 7812500 PWM_POLARITY_INVERTED>; ++ active-low; ++ color = ; ++ max-brightness = <255>; ++ label = "d2"; ++ }; ++ ++ led-d3 { ++ pwms = <&pwm0 2 7812500 PWM_POLARITY_INVERTED>; ++ active-low; ++ color = ; ++ max-brightness = <255>; ++ label = "d3"; ++ }; ++ ++ led-d4 { ++ pwms = <&pwm0 3 7812500 PWM_POLARITY_INVERTED>; ++ active-low; ++ color = ; ++ max-brightness = <255>; ++ label = "d4"; ++ }; ++ }; + }; + + &uart0 { +-- +2.35.1 + diff --git a/queue-6.0/s390-always-build-relocatable-kernel.patch b/queue-6.0/s390-always-build-relocatable-kernel.patch new file mode 100644 index 00000000000..aa095fdf0f9 --- /dev/null +++ b/queue-6.0/s390-always-build-relocatable-kernel.patch @@ -0,0 +1,113 @@ +From 7fb4099d23048702276f7b3990c51a7b1902bc76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Oct 2022 19:22:02 +0100 +Subject: s390: always build relocatable kernel + +From: Heiko Carstens + +[ Upstream commit 80ddf5ce1c9291cb175d52ed1227134ad48c47ee ] + +Nathan Chancellor reported several link errors on s390 with +CONFIG_RELOCATABLE disabled, after binutils commit 906f69cf65da ("IBM +zSystems: Issue error for *DBL relocs on misaligned symbols"). The binutils +commit reveals potential miscompiles that might have happened already +before with linker script defined symbols at odd addresses. + +A similar bug was recently fixed in the kernel with commit c9305b6c1f52 +("s390: fix nospec table alignments"). + +See https://github.com/ClangBuiltLinux/linux/issues/1747 for an analysis +from Ulich Weigand. + +Therefore always build a relocatable kernel to avoid this problem. There is +hardly any use-case for non-relocatable kernels, so this shouldn't be +controversial. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1747 +Signed-off-by: Heiko Carstens +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20221030182202.2062705-1-hca@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/Kconfig | 6 +++--- + arch/s390/Makefile | 2 -- + arch/s390/boot/Makefile | 3 +-- + arch/s390/boot/startup.c | 3 +-- + 4 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig +index 318fce77601d..de575af02ffe 100644 +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -568,8 +568,7 @@ config EXPOLINE_FULL + endchoice + + config RELOCATABLE +- bool "Build a relocatable kernel" +- default y ++ def_bool y + help + This builds a kernel image that retains relocation information + so it can be loaded at an arbitrary address. +@@ -578,10 +577,11 @@ config RELOCATABLE + bootup process. + The relocations make the kernel image about 15% larger (compressed + 10%), but are discarded at runtime. ++ Note: this option exists only for documentation purposes, please do ++ not remove it. + + config RANDOMIZE_BASE + bool "Randomize the address of the kernel image (KASLR)" +- depends on RELOCATABLE + default y + help + In support of Kernel Address Space Layout Randomization (KASLR), +diff --git a/arch/s390/Makefile b/arch/s390/Makefile +index 4cb5d17e7ead..47bec926d6c0 100644 +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -14,10 +14,8 @@ KBUILD_AFLAGS_MODULE += -fPIC + KBUILD_CFLAGS_MODULE += -fPIC + KBUILD_AFLAGS += -m64 + KBUILD_CFLAGS += -m64 +-ifeq ($(CONFIG_RELOCATABLE),y) + KBUILD_CFLAGS += -fPIE + LDFLAGS_vmlinux := -pie +-endif + aflags_dwarf := -Wa,-gdwarf-2 + KBUILD_AFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -D__ASSEMBLY__ + ifndef CONFIG_AS_IS_LLVM +diff --git a/arch/s390/boot/Makefile b/arch/s390/boot/Makefile +index 883357a211a3..d52c3e2e16bc 100644 +--- a/arch/s390/boot/Makefile ++++ b/arch/s390/boot/Makefile +@@ -37,9 +37,8 @@ CFLAGS_sclp_early_core.o += -I$(srctree)/drivers/s390/char + + obj-y := head.o als.o startup.o mem_detect.o ipl_parm.o ipl_report.o + obj-y += string.o ebcdic.o sclp_early_core.o mem.o ipl_vmparm.o cmdline.o +-obj-y += version.o pgm_check_info.o ctype.o ipl_data.o ++obj-y += version.o pgm_check_info.o ctype.o ipl_data.o machine_kexec_reloc.o + obj-$(findstring y, $(CONFIG_PROTECTED_VIRTUALIZATION_GUEST) $(CONFIG_PGSTE)) += uv.o +-obj-$(CONFIG_RELOCATABLE) += machine_kexec_reloc.o + obj-$(CONFIG_RANDOMIZE_BASE) += kaslr.o + obj-y += $(if $(CONFIG_KERNEL_UNCOMPRESSED),,decompressor.o) info.o + obj-$(CONFIG_KERNEL_ZSTD) += clz_ctz.o +diff --git a/arch/s390/boot/startup.c b/arch/s390/boot/startup.c +index bc48fe82d949..e5026e1d277f 100644 +--- a/arch/s390/boot/startup.c ++++ b/arch/s390/boot/startup.c +@@ -285,8 +285,7 @@ void startup_kernel(void) + + clear_bss_section(); + copy_bootdata(); +- if (IS_ENABLED(CONFIG_RELOCATABLE)) +- handle_relocs(__kaslr_offset); ++ handle_relocs(__kaslr_offset); + + if (__kaslr_offset) { + /* +-- +2.35.1 + diff --git a/queue-6.0/s390-zcrypt-fix-warning-about-field-spanning-write.patch b/queue-6.0/s390-zcrypt-fix-warning-about-field-spanning-write.patch new file mode 100644 index 00000000000..1ca39f0e0c0 --- /dev/null +++ b/queue-6.0/s390-zcrypt-fix-warning-about-field-spanning-write.patch @@ -0,0 +1,87 @@ +From 026ee9c058d5b1253970a42d136f4e64582b0394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 10:05:25 +0200 +Subject: s390/zcrypt: fix warning about field-spanning write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Harald Freudenberger + +[ Upstream commit b43088f30db1a7bff61c8486238c195c77788d6d ] + +This patch fixes the warning + +memcpy: detected field-spanning write (size 60) of single field "to" at drivers/s390/crypto/zcrypt_api.h:173 (size 2) +WARNING: CPU: 1 PID: 2114 at drivers/s390/crypto/zcrypt_api.h:173 prep_ep11_ap_msg+0x2c6/0x2e0 [zcrypt] + +The code has been rewritten to use a union in combination +with a flex array to clearly state which part of the buffer +the payload is to be copied in via z_copy_from_user +function (which may call memcpy() in case of in-kernel calls). + +Signed-off-by: Harald Freudenberger +Suggested-by: Jürgen Christ +Reviewed-by: Jürgen Christ +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_msgtype6.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c +index 8fb34b8eeb18..5ad251477593 100644 +--- a/drivers/s390/crypto/zcrypt_msgtype6.c ++++ b/drivers/s390/crypto/zcrypt_msgtype6.c +@@ -342,7 +342,10 @@ static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg, + }; + struct { + struct type6_hdr hdr; +- struct CPRBX cprbx; ++ union { ++ struct CPRBX cprbx; ++ DECLARE_FLEX_ARRAY(u8, userdata); ++ }; + } __packed * msg = ap_msg->msg; + + int rcblen = CEIL4(xcrb->request_control_blk_length); +@@ -403,7 +406,8 @@ static int xcrb_msg_to_type6cprb_msgx(bool userspace, struct ap_message *ap_msg, + msg->hdr.fromcardlen2 = xcrb->reply_data_length; + + /* prepare CPRB */ +- if (z_copy_from_user(userspace, &msg->cprbx, xcrb->request_control_blk_addr, ++ if (z_copy_from_user(userspace, msg->userdata, ++ xcrb->request_control_blk_addr, + xcrb->request_control_blk_length)) + return -EFAULT; + if (msg->cprbx.cprb_len + sizeof(msg->hdr.function_code) > +@@ -469,9 +473,14 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap + + struct { + struct type6_hdr hdr; +- struct ep11_cprb cprbx; +- unsigned char pld_tag; /* fixed value 0x30 */ +- unsigned char pld_lenfmt; /* payload length format */ ++ union { ++ struct { ++ struct ep11_cprb cprbx; ++ unsigned char pld_tag; /* fixed value 0x30 */ ++ unsigned char pld_lenfmt; /* length format */ ++ } __packed; ++ DECLARE_FLEX_ARRAY(u8, userdata); ++ }; + } __packed * msg = ap_msg->msg; + + struct pld_hdr { +@@ -500,7 +509,7 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(bool userspace, struct ap_message *ap + msg->hdr.fromcardlen1 = xcrb->resp_len; + + /* Import CPRB data from the ioctl input parameter */ +- if (z_copy_from_user(userspace, &msg->cprbx.cprb_len, ++ if (z_copy_from_user(userspace, msg->userdata, + (char __force __user *)xcrb->req, xcrb->req_len)) { + return -EFAULT; + } +-- +2.35.1 + diff --git a/queue-6.0/scsi-ibmvfc-avoid-path-failures-during-live-migratio.patch b/queue-6.0/scsi-ibmvfc-avoid-path-failures-during-live-migratio.patch new file mode 100644 index 00000000000..b0a68033e35 --- /dev/null +++ b/queue-6.0/scsi-ibmvfc-avoid-path-failures-during-live-migratio.patch @@ -0,0 +1,65 @@ +From ac7ca2460793f5147ed14ada2d44c876543368a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 13:13:56 -0500 +Subject: scsi: ibmvfc: Avoid path failures during live migration + +From: Brian King + +[ Upstream commit 62fa3ce05d5d73c5eccc40b2db493f55fecfc446 ] + +Fix an issue reported when performing a live migration when multipath is +configured with a short fast fail timeout of 5 seconds and also to have +no_path_retry set to fail. In this scenario, all paths would go into the +devloss state while the ibmvfc driver went through discovery to log back +in. On a loaded system, the discovery might take longer than 5 seconds, +which was resulting in all paths being marked failed, which then resulted +in a read only filesystem. + +This patch changes the migration code in ibmvfc to avoid deleting rports at +all in this scenario, so we avoid losing all paths. + +Signed-off-by: Brian King +Link: https://lore.kernel.org/r/20221026181356.148517-1-brking@linux.vnet.ibm.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index 00684e11976b..1a0c0b7289d2 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -708,8 +708,13 @@ static void ibmvfc_init_host(struct ibmvfc_host *vhost) + memset(vhost->async_crq.msgs.async, 0, PAGE_SIZE); + vhost->async_crq.cur = 0; + +- list_for_each_entry(tgt, &vhost->targets, queue) +- ibmvfc_del_tgt(tgt); ++ list_for_each_entry(tgt, &vhost->targets, queue) { ++ if (vhost->client_migrated) ++ tgt->need_login = 1; ++ else ++ ibmvfc_del_tgt(tgt); ++ } ++ + scsi_block_requests(vhost->host); + ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_INIT); + vhost->job_step = ibmvfc_npiv_login; +@@ -3235,9 +3240,12 @@ static void ibmvfc_handle_crq(struct ibmvfc_crq *crq, struct ibmvfc_host *vhost, + /* We need to re-setup the interpartition connection */ + dev_info(vhost->dev, "Partition migrated, Re-enabling adapter\n"); + vhost->client_migrated = 1; ++ ++ scsi_block_requests(vhost->host); + ibmvfc_purge_requests(vhost, DID_REQUEUE); +- ibmvfc_link_down(vhost, IBMVFC_LINK_DOWN); ++ ibmvfc_set_host_state(vhost, IBMVFC_LINK_DOWN); + ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_REENABLE); ++ wake_up(&vhost->work_wait_q); + } else if (crq->format == IBMVFC_PARTNER_FAILED || crq->format == IBMVFC_PARTNER_DEREGISTER) { + dev_err(vhost->dev, "Host partner adapter deregistered or failed (rc=%d)\n", crq->format); + ibmvfc_purge_requests(vhost, DID_ERROR); +-- +2.35.1 + diff --git a/queue-6.0/scsi-scsi_debug-make-the-read-capacity-response-comp.patch b/queue-6.0/scsi-scsi_debug-make-the-read-capacity-response-comp.patch new file mode 100644 index 00000000000..5da5fe6596c --- /dev/null +++ b/queue-6.0/scsi-scsi_debug-make-the-read-capacity-response-comp.patch @@ -0,0 +1,59 @@ +From 0a549a82eea10bce98dc798c624e46340eefa64a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 12:32:48 -0700 +Subject: scsi: scsi_debug: Make the READ CAPACITY response compliant with ZBC + +From: Bart Van Assche + +[ Upstream commit ecb8c2580d37dbb641451049376d80c8afaa387f ] + +From ZBC-1: + + - RC BASIS = 0: The RETURNED LOGICAL BLOCK ADDRESS field indicates the + highest LBA of a contiguous range of zones that are not sequential write + required zones starting with the first zone. + + - RC BASIS = 1: The RETURNED LOGICAL BLOCK ADDRESS field indicates the LBA + of the last logical block on the logical unit. + +The current scsi_debug READ CAPACITY response does not comply with the +above if there are one or more sequential write required zones. SCSI +initiators need a way to retrieve the largest valid LBA from SCSI +devices. Reporting the largest valid LBA if there are one or more +sequential zones requires to set the RC BASIS field in the READ CAPACITY +response to one. Hence this patch. + +Cc: Douglas Gilbert +Cc: Damien Le Moal +Suggested-by: Damien Le Moal +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20221102193248.3177608-1-bvanassche@acm.org +Reviewed-by: Damien Le Moal +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index 95f940f5c996..7346098c1c68 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -1899,6 +1899,13 @@ static int resp_readcap16(struct scsi_cmnd *scp, + arr[14] |= 0x40; + } + ++ /* ++ * Since the scsi_debug READ CAPACITY implementation always reports the ++ * total disk capacity, set RC BASIS = 1 for host-managed ZBC devices. ++ */ ++ if (devip->zmodel == BLK_ZONED_HM) ++ arr[12] |= 1 << 4; ++ + arr[15] = sdebug_lowest_aligned & 0xff; + + if (have_dif_prot) { +-- +2.35.1 + diff --git a/queue-6.0/selftests-bpf-add-verifier-test-for-release_referenc.patch b/queue-6.0/selftests-bpf-add-verifier-test-for-release_referenc.patch new file mode 100644 index 00000000000..6bfc68c89e4 --- /dev/null +++ b/queue-6.0/selftests-bpf-add-verifier-test-for-release_referenc.patch @@ -0,0 +1,86 @@ +From 1fc7e7ab996e36035bb1a0b8b4b9c1a51445ca2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 17:34:40 +0800 +Subject: selftests/bpf: Add verifier test for release_reference() + +From: Youlin Li + +[ Upstream commit 475244f5e06beeda7b557d9dde46a5f439bf3379 ] + +Add a test case to ensure that released pointer registers will not be +leaked into the map. + +Before fix: + + ./test_verifier 984 + 984/u reference tracking: try to leak released ptr reg FAIL + Unexpected success to load! + verification time 67 usec + stack depth 4 + processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 2 + peak_states 2 mark_read 1 + 984/p reference tracking: try to leak released ptr reg OK + Summary: 1 PASSED, 0 SKIPPED, 1 FAILED + +After fix: + + ./test_verifier 984 + 984/u reference tracking: try to leak released ptr reg OK + 984/p reference tracking: try to leak released ptr reg OK + Summary: 2 PASSED, 0 SKIPPED, 0 FAILED + +Signed-off-by: Youlin Li +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20221103093440.3161-2-liulin063@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/verifier/ref_tracking.c | 36 +++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/tools/testing/selftests/bpf/verifier/ref_tracking.c b/tools/testing/selftests/bpf/verifier/ref_tracking.c +index 57a83d763ec1..6dc65b2501ed 100644 +--- a/tools/testing/selftests/bpf/verifier/ref_tracking.c ++++ b/tools/testing/selftests/bpf/verifier/ref_tracking.c +@@ -905,3 +905,39 @@ + .result_unpriv = REJECT, + .errstr_unpriv = "unknown func", + }, ++{ ++ "reference tracking: try to leak released ptr reg", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), ++ BPF_EXIT_INSN(), ++ BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), ++ ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_MOV64_IMM(BPF_REG_2, 8), ++ BPF_MOV64_IMM(BPF_REG_3, 0), ++ BPF_EMIT_CALL(BPF_FUNC_ringbuf_reserve), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), ++ BPF_EXIT_INSN(), ++ BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), ++ ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), ++ BPF_MOV64_IMM(BPF_REG_2, 0), ++ BPF_EMIT_CALL(BPF_FUNC_ringbuf_discard), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ ++ BPF_STX_MEM(BPF_DW, BPF_REG_9, BPF_REG_8, 0), ++ BPF_EXIT_INSN() ++ }, ++ .fixup_map_array_48b = { 4 }, ++ .fixup_map_ringbuf = { 11 }, ++ .result = ACCEPT, ++ .result_unpriv = REJECT, ++ .errstr_unpriv = "R8 !read_ok" ++}, +-- +2.35.1 + diff --git a/queue-6.0/selftests-net-don-t-tests-batched-tcp-io_uring-zc.patch b/queue-6.0/selftests-net-don-t-tests-batched-tcp-io_uring-zc.patch new file mode 100644 index 00000000000..3de28062bb3 --- /dev/null +++ b/queue-6.0/selftests-net-don-t-tests-batched-tcp-io_uring-zc.patch @@ -0,0 +1,38 @@ +From 6897d2be30ba2da138033bc772524c9c85e4ae8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 00:11:53 +0100 +Subject: selftests/net: don't tests batched TCP io_uring zc + +From: Pavel Begunkov + +[ Upstream commit 9921d5013a6e51892623bf2f1c5b49eaecda55ac ] + +It doesn't make sense batch submitting io_uring requests to a single TCP +socket without linking or some other kind of ordering. Moreover, it +causes spurious -EINTR fails due to interaction with task_work. Disable +it for now and keep queue depth=1. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b547698d5938b1b1a898af1c260188d8546ded9a.1666700897.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/io_uring_zerocopy_tx.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/io_uring_zerocopy_tx.sh b/tools/testing/selftests/net/io_uring_zerocopy_tx.sh +index 32aa6e9dacc2..9ac4456d48fc 100755 +--- a/tools/testing/selftests/net/io_uring_zerocopy_tx.sh ++++ b/tools/testing/selftests/net/io_uring_zerocopy_tx.sh +@@ -29,7 +29,7 @@ if [[ "$#" -eq "0" ]]; then + for IP in "${IPs[@]}"; do + for mode in $(seq 1 3); do + $0 "$IP" udp -m "$mode" -t 1 -n 32 +- $0 "$IP" tcp -m "$mode" -t 1 -n 32 ++ $0 "$IP" tcp -m "$mode" -t 1 -n 1 + done + done + +-- +2.35.1 + diff --git a/queue-6.0/selftests-net-give-more-time-to-udpgro-bg-processes-.patch b/queue-6.0/selftests-net-give-more-time-to-udpgro-bg-processes-.patch new file mode 100644 index 00000000000..8dc3a252420 --- /dev/null +++ b/queue-6.0/selftests-net-give-more-time-to-udpgro-bg-processes-.patch @@ -0,0 +1,79 @@ +From 301423a1493f28e0c0e7f41ec5cd0a200227b597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:48:08 -0400 +Subject: selftests/net: give more time to udpgro bg processes to complete + startup + +From: Adrien Thierry + +[ Upstream commit cdb525ca92b196f8916102b62431aa0d9a644ff2 ] + +In some conditions, background processes in udpgro don't have enough +time to set up the sockets. When foreground processes start, this +results in the test failing with "./udpgso_bench_tx: sendmsg: Connection +refused". For instance, this happens from time to time on a Qualcomm +SA8540P SoC running CentOS Stream 9. + +To fix this, increase the time given to background processes to +complete the startup before foreground processes start. + +Signed-off-by: Adrien Thierry +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgro.sh | 4 ++-- + tools/testing/selftests/net/udpgro_bench.sh | 2 +- + tools/testing/selftests/net/udpgro_frglist.sh | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh +index ebbd0b282432..6a443ca3cd3a 100755 +--- a/tools/testing/selftests/net/udpgro.sh ++++ b/tools/testing/selftests/net/udpgro.sh +@@ -50,7 +50,7 @@ run_one() { + echo "failed" & + + # Hack: let bg programs complete the startup +- sleep 0.1 ++ sleep 0.2 + ./udpgso_bench_tx ${tx_args} + ret=$? + wait $(jobs -p) +@@ -117,7 +117,7 @@ run_one_2sock() { + echo "failed" & + + # Hack: let bg programs complete the startup +- sleep 0.1 ++ sleep 0.2 + ./udpgso_bench_tx ${tx_args} -p 12345 + sleep 0.1 + # first UDP GSO socket should be closed at this point +diff --git a/tools/testing/selftests/net/udpgro_bench.sh b/tools/testing/selftests/net/udpgro_bench.sh +index fad2d1a71cac..8a1109a545db 100755 +--- a/tools/testing/selftests/net/udpgro_bench.sh ++++ b/tools/testing/selftests/net/udpgro_bench.sh +@@ -39,7 +39,7 @@ run_one() { + ip netns exec "${PEER_NS}" ./udpgso_bench_rx -t ${rx_args} -r & + + # Hack: let bg programs complete the startup +- sleep 0.1 ++ sleep 0.2 + ./udpgso_bench_tx ${tx_args} + } + +diff --git a/tools/testing/selftests/net/udpgro_frglist.sh b/tools/testing/selftests/net/udpgro_frglist.sh +index 832c738cc3c2..7fe85ba51075 100755 +--- a/tools/testing/selftests/net/udpgro_frglist.sh ++++ b/tools/testing/selftests/net/udpgro_frglist.sh +@@ -44,7 +44,7 @@ run_one() { + ip netns exec "${PEER_NS}" ./udpgso_bench_rx ${rx_args} -r & + + # Hack: let bg programs complete the startup +- sleep 0.1 ++ sleep 0.2 + ./udpgso_bench_tx ${tx_args} + } + +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series new file mode 100644 index 00000000000..8b836af5610 --- /dev/null +++ b/queue-6.0/series @@ -0,0 +1,43 @@ +binder-validate-alloc-mm-in-mmap-handler.patch +ceph-use-kcalloc-for-allocating-multiple-elements.patch +ceph-fix-null-pointer-dereference-for-req-r_session.patch +wifi-mac80211-fix-memory-free-error-when-registering.patch +wifi-cfg80211-fix-bitrates-overflow-issue.patch +wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch +spi-tegra210-quad-don-t-initialise-dma-if-not-suppor.patch +riscv-dts-sifive-unleashed-add-pwm-controlled-leds.patch +audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch +wifi-airo-do-not-assign-1-to-unsigned-char.patch +wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch +selftests-net-don-t-tests-batched-tcp-io_uring-zc.patch +wifi-ath11k-fix-qcn9074-firmware-boot-on-x86.patch +s390-zcrypt-fix-warning-about-field-spanning-write.patch +spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch +selftests-bpf-add-verifier-test-for-release_referenc.patch +selftests-net-give-more-time-to-udpgro-bg-processes-.patch +revert-net-macsec-report-real_dev-features-when-hw-o.patch +acpi-video-add-backlight-native-dmi-quirk-for-dell-g.patch +platform-x86-ideapad-laptop-disable-touchpad_switch.patch +platform-x86-touchscreen_dmi-add-info-for-the-rca-ca.patch +platform-x86-intel-pmt-sapphire-rapids-pmt-errata-fi.patch +platform-x86-intel-hid-add-some-acpi-device-ids.patch +scsi-ibmvfc-avoid-path-failures-during-live-migratio.patch +scsi-scsi_debug-make-the-read-capacity-response-comp.patch +drm-panel-orientation-quirks-add-quirk-for-nanote-um.patch +drm-panel-orientation-quirks-add-quirk-for-acer-swit.patch +block-bfq-fix-null-pointer-dereference-in-bfq_bio_bf.patch +s390-always-build-relocatable-kernel.patch +arm64-syscall-include-asm-ptrace.h-in-syscall_wrappe.patch +nvme-quiet-user-passthrough-command-errors.patch +nvmet-fix-memory-leak-in-nvmet_subsys_attr_model_sto.patch +net-wwan-iosm-fix-kernel-test-robot-reported-errors.patch +drm-amd-display-zeromem-mypipe-heap-struct-before-us.patch +drm-amd-display-fix-fclk-deviation-and-tool-compile-.patch +drm-amd-display-fix-gpio-port-mapping-issue.patch +revert-drm-amdgpu-revert-drm-amdgpu-getting-fan-spee.patch +drm-amdgpu-drop-eviction-lock-when-allocating-pt-bo.patch +drm-amd-display-only-fill-dirty-rectangles-when-psr-.patch +alsa-usb-audio-add-quirk-to-fix-hamedal-c20-disconne.patch +risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch +mips-pic32-treat-port-as-signed-integer.patch +io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch diff --git a/queue-6.0/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch b/queue-6.0/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch new file mode 100644 index 00000000000..0f48da4d1c3 --- /dev/null +++ b/queue-6.0/spi-stm32-fix-stm32_spi_prepare_mbr-that-halves-spi-.patch @@ -0,0 +1,51 @@ +From 67a43e710b4fb37d9f6bebd42e2950119d7fde18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 09:00:42 +0100 +Subject: spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every + run + +From: Sean Nyekjaer + +[ Upstream commit 62aa1a344b0904549f6de7af958e8a1136fd5228 ] + +When this driver is used with a driver that uses preallocated spi_transfer +structs. The speed_hz is halved by every run. This results in: + +spi_stm32 44004000.spi: SPI transfer setup failed +ads7846 spi0.0: SPI transfer failed: -22 + +Example when running with DIV_ROUND_UP(): +- First run; speed_hz = 1000000, spi->clk_rate 125000000 + div 125 -> mbrdiv = 7, cur_speed = 976562 +- Second run; speed_hz = 976562 + div 128,00007 (roundup to 129) -> mbrdiv = 8, cur_speed = 488281 +- Third run; speed_hz = 488281 + div 256,000131072067109 (roundup to 257) and then -EINVAL is returned. + +Use DIV_ROUND_CLOSEST to allow to round down and allow us to keep the +set speed. + +Signed-off-by: Sean Nyekjaer +Link: https://lore.kernel.org/r/20221103080043.3033414-1-sean@geanix.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-stm32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c +index 3c2fa2e2f94a..def09cf0dc14 100644 +--- a/drivers/spi/spi-stm32.c ++++ b/drivers/spi/spi-stm32.c +@@ -434,7 +434,7 @@ static int stm32_spi_prepare_mbr(struct stm32_spi *spi, u32 speed_hz, + u32 div, mbrdiv; + + /* Ensure spi->clk_rate is even */ +- div = DIV_ROUND_UP(spi->clk_rate & ~0x1, speed_hz); ++ div = DIV_ROUND_CLOSEST(spi->clk_rate & ~0x1, speed_hz); + + /* + * SPI framework set xfer->speed_hz to master->max_speed_hz if +-- +2.35.1 + diff --git a/queue-6.0/spi-tegra210-quad-don-t-initialise-dma-if-not-suppor.patch b/queue-6.0/spi-tegra210-quad-don-t-initialise-dma-if-not-suppor.patch new file mode 100644 index 00000000000..eee1e0164e0 --- /dev/null +++ b/queue-6.0/spi-tegra210-quad-don-t-initialise-dma-if-not-suppor.patch @@ -0,0 +1,55 @@ +From ec5a33a450319bcb3f9c4a9c2c1ee40637255ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Oct 2022 16:56:33 +0100 +Subject: spi: tegra210-quad: Don't initialise DMA if not supported + +From: Jon Hunter + +[ Upstream commit ae4b3c1252f0fd0951d2f072a02ba46cac8d6c92 ] + +The following error messages are observed on boot for Tegra234 ... + + ERR KERN tegra-qspi 3270000.spi: cannot use DMA: -19 + ERR KERN tegra-qspi 3270000.spi: falling back to PIO + +Tegra234 does not support DMA for the QSPI and so initialising the DMA +is expected to fail. The above error messages are misleading for devices +that don't support DMA and so fix this by skipping the DMA +initialisation for devices that don't support DMA. + +Signed-off-by: Jon Hunter +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20221026155633.141792-1-jonathanh@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 904972606bd4..10f0c5a6e0dc 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -720,6 +720,9 @@ static int tegra_qspi_start_cpu_based_transfer(struct tegra_qspi *qspi, struct s + + static void tegra_qspi_deinit_dma(struct tegra_qspi *tqspi) + { ++ if (!tqspi->soc_data->has_dma) ++ return; ++ + if (tqspi->tx_dma_buf) { + dma_free_coherent(tqspi->dev, tqspi->dma_buf_size, + tqspi->tx_dma_buf, tqspi->tx_dma_phys); +@@ -750,6 +753,9 @@ static int tegra_qspi_init_dma(struct tegra_qspi *tqspi) + u32 *dma_buf; + int err; + ++ if (!tqspi->soc_data->has_dma) ++ return 0; ++ + dma_chan = dma_request_chan(tqspi->dev, "rx"); + if (IS_ERR(dma_chan)) { + err = PTR_ERR(dma_chan); +-- +2.35.1 + diff --git a/queue-6.0/wifi-airo-do-not-assign-1-to-unsigned-char.patch b/queue-6.0/wifi-airo-do-not-assign-1-to-unsigned-char.patch new file mode 100644 index 00000000000..6a2be580fcf --- /dev/null +++ b/queue-6.0/wifi-airo-do-not-assign-1-to-unsigned-char.patch @@ -0,0 +1,75 @@ +From c05d44032c640cd456efec795d4326c6b733e58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 18:28:43 +0200 +Subject: wifi: airo: do not assign -1 to unsigned char + +From: Jason A. Donenfeld + +[ Upstream commit e6cb8769452e8236b52134e5cb4a18b8f5986932 ] + +With char becoming unsigned by default, and with `char` alone being +ambiguous and based on architecture, we get a warning when assigning the +unchecked output of hex_to_bin() to that unsigned char. Mark `key` as a +`u8`, which matches the struct's type, and then check each call to +hex_to_bin() before casting. + +Cc: Kalle Valo +Cc: linux-wireless@vger.kernel.org +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221024162843.535921-1-Jason@zx2c4.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 10daef81c355..fb2c35bd73bb 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -5232,7 +5232,7 @@ static int get_wep_tx_idx(struct airo_info *ai) + return -1; + } + +-static int set_wep_key(struct airo_info *ai, u16 index, const char *key, ++static int set_wep_key(struct airo_info *ai, u16 index, const u8 *key, + u16 keylen, int perm, int lock) + { + static const unsigned char macaddr[ETH_ALEN] = { 0x01, 0, 0, 0, 0, 0 }; +@@ -5283,7 +5283,7 @@ static void proc_wepkey_on_close(struct inode *inode, struct file *file) + struct net_device *dev = pde_data(inode); + struct airo_info *ai = dev->ml_priv; + int i, rc; +- char key[16]; ++ u8 key[16]; + u16 index = 0; + int j = 0; + +@@ -5311,12 +5311,22 @@ static void proc_wepkey_on_close(struct inode *inode, struct file *file) + } + + for (i = 0; i < 16*3 && data->wbuffer[i+j]; i++) { ++ int val; ++ ++ if (i % 3 == 2) ++ continue; ++ ++ val = hex_to_bin(data->wbuffer[i+j]); ++ if (val < 0) { ++ airo_print_err(ai->dev->name, "WebKey passed invalid key hex"); ++ return; ++ } + switch(i%3) { + case 0: +- key[i/3] = hex_to_bin(data->wbuffer[i+j])<<4; ++ key[i/3] = (u8)val << 4; + break; + case 1: +- key[i/3] |= hex_to_bin(data->wbuffer[i+j]); ++ key[i/3] |= (u8)val; + break; + } + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-fix-qcn9074-firmware-boot-on-x86.patch b/queue-6.0/wifi-ath11k-fix-qcn9074-firmware-boot-on-x86.patch new file mode 100644 index 00000000000..a79d78ba6fe --- /dev/null +++ b/queue-6.0/wifi-ath11k-fix-qcn9074-firmware-boot-on-x86.patch @@ -0,0 +1,50 @@ +From 70e97fa5e908516601555892e8918f85f7b8258c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 18:56:39 +0200 +Subject: wifi: ath11k: Fix QCN9074 firmware boot on x86 + +From: Tyler J. Stachecki + +[ Upstream commit 3a89b6dec9920026eaa90fe8457f4348d3388a98 ] + +The 2.7.0 series of QCN9074's firmware requests 5 segments +of memory instead of 3 (as in the 2.5.0 series). + +The first segment (11M) is too large to be kalloc'd in one +go on x86 and requires piecemeal 1MB allocations, as was +the case with the prior public firmware (2.5.0, 15M). + +Since f6f92968e1e5, ath11k will break the memory requests, +but only if there were fewer than 3 segments requested by +the firmware. It seems that 5 segments works fine and +allows QCN9074 to boot on x86 with firmware 2.7.0, so +change things accordingly. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.16 + +Signed-off-by: Tyler J. Stachecki +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221022042728.43015-1-stachecki.tyler@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.h b/drivers/net/wireless/ath/ath11k/qmi.h +index 2ec56a34fa81..0909d53cefeb 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.h ++++ b/drivers/net/wireless/ath/ath11k/qmi.h +@@ -27,7 +27,7 @@ + #define ATH11K_QMI_WLANFW_MAX_NUM_MEM_SEG_V01 52 + #define ATH11K_QMI_CALDB_SIZE 0x480000 + #define ATH11K_QMI_BDF_EXT_STR_LENGTH 0x20 +-#define ATH11K_QMI_FW_MEM_REQ_SEGMENT_CNT 3 ++#define ATH11K_QMI_FW_MEM_REQ_SEGMENT_CNT 5 + + #define QMI_WLFW_REQUEST_MEM_IND_V01 0x0035 + #define QMI_WLFW_FW_MEM_READY_IND_V01 0x0037 +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-fix-bitrates-overflow-issue.patch b/queue-6.0/wifi-cfg80211-fix-bitrates-overflow-issue.patch new file mode 100644 index 00000000000..20816e3f554 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-fix-bitrates-overflow-issue.patch @@ -0,0 +1,74 @@ +From 95cd450b46a56e0e843eef91f900a1ab0728334c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Oct 2022 21:04:28 +0800 +Subject: wifi: cfg80211: Fix bitrates overflow issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Zhang + +[ Upstream commit 18429c51c7ff6e6bfd627316c54670230967a7e5 ] + +When invoking function cfg80211_calculate_bitrate_eht about +(320 MHz, EHT-MCS 13, EHT-NSS 2, EHT-GI 0), which means the +parameters as flags: 0x80, bw: 7, mcs: 13, eht_gi: 0, nss: 2, +this formula (result * rate->nss) will overflow and causes +the returned bitrate to be 3959 when it should be 57646. + +Here is the explanation: + u64 tmp; + u32 result; + … + /* tmp = result = 4 * rates_996[0] + * = 4 * 480388888 = 0x72889c60 + */ + tmp = result; + + /* tmp = 0x72889c60 * 6144 = 0xabccea90000 */ + tmp *= SCALE; + + /* tmp = 0xabccea90000 / mcs_divisors[13] + * = 0xabccea90000 / 5120 = 0x8970bba6 + */ + do_div(tmp, mcs_divisors[rate->mcs]); + + /* result = 0x8970bba6 */ + result = tmp; + + /* normally (result * rate->nss) = 0x8970bba6 * 2 = 0x112e1774c, + * but since result is u32, (result * rate->nss) = 0x12e1774c, + * overflow happens and it loses the highest bit. + * Then result = 0x12e1774c / 8 = 39595753, + */ + result = (result * rate->nss) / 8; + +Signed-off-by: Paul Zhang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 775836f6785a..450d609b512a 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1555,10 +1555,12 @@ static u32 cfg80211_calculate_bitrate_eht(struct rate_info *rate) + tmp = result; + tmp *= SCALE; + do_div(tmp, mcs_divisors[rate->mcs]); +- result = tmp; + + /* and take NSS */ +- result = (result * rate->nss) / 8; ++ tmp *= rate->nss; ++ do_div(tmp, 8); ++ ++ result = tmp; + + return result / 10000; + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch b/queue-6.0/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch new file mode 100644 index 00000000000..7d7c15d174c --- /dev/null +++ b/queue-6.0/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch @@ -0,0 +1,42 @@ +From 4d7de79aa3c706938229e0208e9a8b658c07bea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:01:33 +0200 +Subject: wifi: mac80211: Fix ack frame idr leak when mesh has no route + +From: Nicolas Cavallari + +[ Upstream commit 39e7b5de9853bd92ddbfa4b14165babacd7da0ba ] + +When trying to transmit an data frame with tx_status to a destination +that have no route in the mesh, then it is dropped without recrediting +the ack_status_frames idr. + +Once it is exhausted, wpa_supplicant starts failing to do SAE with +NL80211_CMD_FRAME and logs "nl80211: Frame command failed". + +Use ieee80211_free_txskb() instead of kfree_skb() to fix it. + +Signed-off-by: Nicolas Cavallari +Link: https://lore.kernel.org/r/20221027140133.1504-1-nicolas.cavallari@green-communications.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index acc1c299f1ae..69d5e1ec6ede 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -710,7 +710,7 @@ int mesh_path_send_to_gates(struct mesh_path *mpath) + void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb) + { +- kfree_skb(skb); ++ ieee80211_free_txskb(&sdata->local->hw, skb); + sdata->u.mesh.mshstats.dropped_frames_no_route++; + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-fix-memory-free-error-when-registering.patch b/queue-6.0/wifi-mac80211-fix-memory-free-error-when-registering.patch new file mode 100644 index 00000000000..4bde8bea3e4 --- /dev/null +++ b/queue-6.0/wifi-mac80211-fix-memory-free-error-when-registering.patch @@ -0,0 +1,53 @@ +From 8734023d45fb645d160683a1fd4fb05e09e2bbd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Oct 2022 17:38:31 +0800 +Subject: wifi: mac80211: fix memory free error when registering wiphy fail + +From: taozhang + +[ Upstream commit 50b2e8711462409cd368c41067405aa446dfa2af ] + +ieee80211_register_hw free the allocated cipher suites when +registering wiphy fail, and ieee80211_free_hw will re-free it. + +set wiphy_ciphers_allocated to false after freeing allocated +cipher suites. + +Signed-off-by: taozhang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 5b1c47ed0cc0..87e24bba4c67 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1437,8 +1437,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + ieee80211_led_exit(local); + destroy_workqueue(local->workqueue); + fail_workqueue: +- if (local->wiphy_ciphers_allocated) ++ if (local->wiphy_ciphers_allocated) { + kfree(local->hw.wiphy->cipher_suites); ++ local->wiphy_ciphers_allocated = false; ++ } + kfree(local->int_scan_req); + return result; + } +@@ -1506,8 +1508,10 @@ void ieee80211_free_hw(struct ieee80211_hw *hw) + mutex_destroy(&local->iflist_mtx); + mutex_destroy(&local->mtx); + +- if (local->wiphy_ciphers_allocated) ++ if (local->wiphy_ciphers_allocated) { + kfree(local->hw.wiphy->cipher_suites); ++ local->wiphy_ciphers_allocated = false; ++ } + + idr_for_each(&local->ack_status_frames, + ieee80211_free_ack_frame, NULL); +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch b/queue-6.0/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch new file mode 100644 index 00000000000..e8bcb89256b --- /dev/null +++ b/queue-6.0/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch @@ -0,0 +1,57 @@ +From 89b355b8ae939f11f360f3c5746501637f154a7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 16:54:39 +0200 +Subject: wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support + +From: Jonas Jelonek + +[ Upstream commit 69188df5f6e4cecc6b76b958979ba363cd5240e8 ] + +Fixes a warning that occurs when rc table support is enabled +(IEEE80211_HW_SUPPORTS_RC_TABLE) in mac80211_hwsim and the PS mode +is changed via the exported debugfs attribute. + +When the PS mode is changed, a packet is broadcasted via +hwsim_send_nullfunc by creating and transmitting a plain skb with only +header initialized. The ieee80211 rate array in the control buffer is +zero-initialized. When ratetbl support is enabled, ieee80211_get_tx_rates +is called for the skb with sta parameter set to NULL and thus no +ratetbl can be used. The final rate array then looks like +[-1,0; 0,0; 0,0; 0,0] which causes the warning in ieee80211_get_tx_rate. + +The issue is fixed by setting the count of the first rate with idx '0' +to 1 and hence ieee80211_get_tx_rates won't overwrite it with idx '-1'. + +Signed-off-by: Jonas Jelonek +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index a074552bcec3..3179682daca7 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -910,6 +910,7 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + struct hwsim_vif_priv *vp = (void *)vif->drv_priv; + struct sk_buff *skb; + struct ieee80211_hdr *hdr; ++ struct ieee80211_tx_info *cb; + + if (!vp->assoc) + return; +@@ -931,6 +932,10 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + memcpy(hdr->addr2, mac, ETH_ALEN); + memcpy(hdr->addr3, vp->bssid, ETH_ALEN); + ++ cb = IEEE80211_SKB_CB(skb); ++ cb->control.rates[0].count = 1; ++ cb->control.rates[1].idx = -1; ++ + rcu_read_lock(); + mac80211_hwsim_tx_frame(data->hw, skb, + rcu_dereference(vif->bss_conf.chanctx_conf)->def.chan); +-- +2.35.1 + -- 2.47.3